diff --git a/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json b/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json
index ab3c6d3b1c..86776d7c25 100644
--- a/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json
+++ b/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json
@@ -1,10 +1,35 @@
{
"type": "bundle",
- "id": "bundle--4631c103-384a-4f5e-9f32-fafa7764a0eb",
+ "id": "bundle--a3d20708-6dd1-4ca9-bec9-18790d9d13d2",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:56:58.380Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0803",
+ "external_id": "T0803"
+ },
+ {
+ "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
+ "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
+ "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
+ },
+ {
+ "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016",
+ "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ",
+ "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-15T19:58:01.218Z",
"name": "Block Command Message",
"description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
"kill_chain_phases": [
@@ -31,31 +56,6 @@
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Flow",
"Operational Databases: Process/Event Alarm"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0803",
- "external_id": "T0803"
- },
- {
- "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
- "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
- "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
- },
- {
- "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016",
- "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ",
- "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json b/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json
index 4989209723..1ab7a0a874 100644
--- a/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json
+++ b/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json
@@ -1,10 +1,30 @@
{
"type": "bundle",
- "id": "bundle--dee09093-0370-43a0-b117-4732706f185f",
+ "id": "bundle--25229b6b-afba-4ce2-95cb-4abd18b04863",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:56:58.586Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0881",
+ "external_id": "T0881"
+ },
+ {
+ "source_name": "Enterprise ATT&CK",
+ "description": "Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ",
+ "url": "https://attack.mitre.org/techniques/T1489/"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-15T19:58:03.170Z",
"name": "Service Stop",
"description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)",
"kill_chain_phases": [
@@ -33,26 +53,6 @@
"Service: Service Metadata",
"Windows Registry: Windows Registry Key Modification",
"Process: Process Creation"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0881",
- "external_id": "T0881"
- },
- {
- "source_name": "Enterprise ATT&CK",
- "description": "Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ",
- "url": "https://attack.mitre.org/techniques/T1489/"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json b/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json
index eea3cdd878..3d81a18f20 100644
--- a/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json
+++ b/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json
@@ -1,10 +1,25 @@
{
"type": "bundle",
- "id": "bundle--105d38ee-81db-4e2f-ba57-80452a959f39",
+ "id": "bundle--db0639cd-32bb-4604-9c14-d16ed03910d9",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:56:58.786Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0836",
+ "external_id": "T0836"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:10.077Z",
"name": "Modify Parameter",
"description": "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. \n\nAn adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "impair-process-control"
}
],
- "x_mitre_attack_spec_version": "3.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -30,21 +45,6 @@
"Application Log: Application Log Content",
"Operational Databases: Device Alarm",
"Network Traffic: Network Traffic Content"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0836",
- "external_id": "T0836"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json b/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json
index c128934339..7140dc0ac7 100644
--- a/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json
+++ b/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json
@@ -1,35 +1,9 @@
{
"type": "bundle",
- "id": "bundle--3024c052-2f10-45e2-a38f-79c2a0928672",
+ "id": "bundle--ab0efb01-4a64-4f2c-b605-535b55c0ba25",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:56:58.991Z",
- "name": "Modify Controller Tasking",
- "description": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. \n\nAccording to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.\n\nTasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "execution"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "Application Log: Application Log Content",
- "Operational Databases: Device Alarm",
- "Asset: Software"
- ],
"type": "attack-pattern",
"id": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
"created": "2021-04-13T11:15:26.506Z",
@@ -49,6 +23,32 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:10.230Z",
+ "name": "Modify Controller Tasking",
+ "description": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. \n\nAccording to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.\n\nTasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_data_sources": [
+ "Application Log: Application Log Content",
+ "Operational Databases: Device Alarm",
+ "Asset: Software"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json b/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json
index cba5842b0d..d5f261df72 100644
--- a/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json
+++ b/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json
@@ -1,40 +1,9 @@
{
"type": "bundle",
- "id": "bundle--539bd006-4958-4246-84a8-092df15411c3",
+ "id": "bundle--e26b2205-6066-434d-a5ac-ee3880830188",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:56:59.193Z",
- "name": "Wireless Sniffing",
- "description": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. \n\nAdversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) \n\nIn the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "discovery"
- },
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_contributors": [
- "ICSCoE Japan"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Flow"
- ],
"type": "attack-pattern",
"id": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72",
"created": "2020-05-21T17:43:26.506Z",
@@ -64,6 +33,37 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:10.392Z",
+ "name": "Wireless Sniffing",
+ "description": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. \n\nAdversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) \n\nIn the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "discovery"
+ },
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "ICSCoE Japan"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Flow"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json b/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json
index 2f135df3c2..4788792f0c 100644
--- a/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json
+++ b/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json
@@ -1,31 +1,14 @@
{
"type": "bundle",
- "id": "bundle--b44e9241-bcc6-4b8b-b01d-7e08f0462975",
+ "id": "bundle--fc5dd488-ddc9-45f6-bf2e-d8ffe711bcc4",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:56:59.396Z",
- "name": "Loss of View",
- "description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impact"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
"created": "2020-05-21T17:43:26.506Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
@@ -39,8 +22,8 @@
},
{
"source_name": "Michael J. Assante and Robert M. Lee",
- "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ",
- "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"
+ "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
+ "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
},
{
"source_name": "Tyson Macaulay",
@@ -51,7 +34,27 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_is_subtechnique": false
+ "modified": "2025-04-15T19:58:08.228Z",
+ "name": "Loss of View",
+ "description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json b/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json
index 4d2a73e7d3..ef489beb7e 100644
--- a/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json
+++ b/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json
@@ -1,35 +1,9 @@
{
"type": "bundle",
- "id": "bundle--69e366dd-0c14-40d5-9f93-f2e8229dc0a7",
+ "id": "bundle--c1850b6d-f7d8-4b0f-ab9f-a53f6f21cf5c",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:56:59.593Z",
- "name": "Activate Firmware Update Mode",
- "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "inhibit-response-function"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_contributors": [
- "Joe Slowik - Dragos"
- ],
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Content",
- "Operational Databases: Device Alarm",
- "Application Log: Application Log Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
"created": "2020-05-21T17:43:26.506Z",
@@ -44,7 +18,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_is_subtechnique": false
+ "modified": "2025-04-16T21:26:10.552Z",
+ "name": "Activate Firmware Update Mode",
+ "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "inhibit-response-function"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Joe Slowik - Dragos"
+ ],
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Content",
+ "Operational Databases: Device Alarm",
+ "Application Log: Application Log Content"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json b/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json
index c74c9e8d0c..e31cc02b9d 100644
--- a/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json
+++ b/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json
@@ -1,30 +1,9 @@
{
"type": "bundle",
- "id": "bundle--bdae619c-cb18-413f-9fab-422334a358d8",
+ "id": "bundle--1602b749-db30-4bfb-9af4-9fb05604257b",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:56:59.793Z",
- "name": "Manipulation of Control",
- "description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle \n* Spoof command message \n* Changing setpoints \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impact"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,7 +33,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:10.752Z",
+ "name": "Manipulation of Control",
+ "description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle \n* Spoof command message \n* Changing setpoints \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json b/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json
index 4dbd9f9a1d..ca6e73e8f0 100644
--- a/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json
+++ b/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json
@@ -1,34 +1,9 @@
{
"type": "bundle",
- "id": "bundle--dfdeca24-c300-421c-a76d-d6628ae827bc",
+ "id": "bundle--f69e8e0b-5c2f-44bf-bffb-d024f3f3057b",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-10-14T19:00:55.006Z",
- "name": "Denial of Service",
- "description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. \n\nSome ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) \n\nAdversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. \n\nAdversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) ",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "inhibit-response-function"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Content",
- "Network Traffic: Network Traffic Flow",
- "Application Log: Application Log Content",
- "Operational Databases: Process History/Live Data"
- ],
"type": "attack-pattern",
"id": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
"created": "2020-05-21T17:43:26.506Z",
@@ -64,8 +39,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-15T19:58:10.656Z",
+ "name": "Denial of Service",
+ "description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. \n\nSome ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) \n\nAdversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. \n\nAdversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "inhibit-response-function"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Content",
+ "Network Traffic: Network Traffic Flow",
+ "Application Log: Application Log Content",
+ "Operational Databases: Process History/Live Data"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json b/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json
index 498ab38491..246684cd1f 100644
--- a/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json
+++ b/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json
@@ -1,10 +1,25 @@
{
"type": "bundle",
- "id": "bundle--79600bfc-10d7-46b4-8184-969e509e28e2",
+ "id": "bundle--501ea015-a615-41bf-a0aa-146b7633ceef",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:00.184Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0805",
+ "external_id": "T0805"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:10.923Z",
"name": "Block Serial COM",
"description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "inhibit-response-function"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -31,21 +46,6 @@
"Operational Databases: Process History/Live Data",
"Application Log: Application Log Content",
"Process: Process Termination"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0805",
- "external_id": "T0805"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91.json b/ics-attack/attack-pattern/attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91.json
index 88a8142b06..228916ec7b 100644
--- a/ics-attack/attack-pattern/attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91.json
+++ b/ics-attack/attack-pattern/attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91.json
@@ -1,33 +1,9 @@
{
"type": "bundle",
- "id": "bundle--c287e357-55a9-4c4c-9cb3-6c918faf92e2",
+ "id": "bundle--5d784ea9-9a4d-4532-9d3a-ddff7bdb3425",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-04-08T18:57:58.010Z",
- "name": "System Binary Proxy Execution",
- "description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. (Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands. (Citation: split man page)(Citation: GTFO split)\n\nAdversaries may abuse application binaries installed on a system for proxy execution of malicious code or domain-specific commands. These commands could be used to target local resources on the device or networked devices within the environment through defined APIs ([Execution through API](https://attack.mitre.org/techniques/T0871)) or application-specific programming languages (e.g., MicroSCADA SCIL). Application binaries may be signed by the developer or generally trusted by the operators, analysts, and monitoring tools accustomed to the environment. These applications may be developed and/or directly provided by the device vendor to enable configuration, management, and operation of their devices without many alternatives. \n\nAdversaries may seek to target these trusted application binaries to execute or send commands without the development of custom malware. For example, adversaries may target a SCADA server binary which has the existing ability to send commands to substation devices, such as through IEC 104 command messages. Proxy execution may still require the development of custom tools to hook into the application binary\u2019s execution.\n\n",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "evasion"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Script: Script Execution",
- "Command: Command Execution",
- "Process: Process Creation"
- ],
"type": "attack-pattern",
"id": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
"created": "2024-03-25T20:16:15.016Z",
@@ -58,8 +34,32 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-15T19:58:11.559Z",
+ "name": "System Binary Proxy Execution",
+ "description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. (Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands. (Citation: split man page)(Citation: GTFO split)\n\nAdversaries may abuse application binaries installed on a system for proxy execution of malicious code or domain-specific commands. These commands could be used to target local resources on the device or networked devices within the environment through defined APIs ([Execution through API](https://attack.mitre.org/techniques/T0871)) or application-specific programming languages (e.g., MicroSCADA SCIL). Application binaries may be signed by the developer or generally trusted by the operators, analysts, and monitoring tools accustomed to the environment. These applications may be developed and/or directly provided by the device vendor to enable configuration, management, and operation of their devices without many alternatives. \n\nAdversaries may seek to target these trusted application binaries to execute or send commands without the development of custom malware. For example, adversaries may target a SCADA server binary which has the existing ability to send commands to substation devices, such as through IEC 104 command messages. Proxy execution may still require the development of custom tools to hook into the application binary\u2019s execution.\n\n",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "evasion"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Script: Script Execution",
+ "Command: Command Execution",
+ "Process: Process Creation"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json b/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json
index 9bf992792d..3a0d2ebf0a 100644
--- a/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json
+++ b/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json
@@ -1,32 +1,9 @@
{
"type": "bundle",
- "id": "bundle--578194ed-1631-4afb-8387-b9e0a035c89c",
+ "id": "bundle--d7d381d2-5d20-445e-a858-86afe9161ef5",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-05-08T20:13:24.241Z",
- "name": "Role Identification",
- "description": "Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.\n\nFor example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary's decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": true,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Windows",
- "Human-Machine Interface",
- "Control Server",
- "Data Historian",
- "Field Controller/RTU/PLC/IED"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80",
"created": "2020-05-21T17:43:26.506Z",
@@ -41,6 +18,29 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:51.553Z",
+ "name": "Role Identification",
+ "description": "Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.\n\nFor example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary's decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows",
+ "Human-Machine Interface",
+ "Control Server",
+ "Data Historian",
+ "Field Controller/RTU/PLC/IED"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json b/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json
index 12167f42ee..a5a15ce2fd 100644
--- a/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json
+++ b/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json
@@ -1,35 +1,9 @@
{
"type": "bundle",
- "id": "bundle--0d48cec9-f168-4692-9889-563fc77f1c14",
+ "id": "bundle--7d4fc49a-aaaf-437c-8653-7f96561930f3",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:00.378Z",
- "name": "Command-Line Interface",
- "description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.\n\nCLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "execution"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Command: Command Execution",
- "Application Log: Application Log Content",
- "Process: Process Creation"
- ],
"type": "attack-pattern",
"id": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
"created": "2020-05-21T17:43:26.506Z",
@@ -49,6 +23,32 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:11.069Z",
+ "name": "Command-Line Interface",
+ "description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.\n\nCLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Command: Command Execution",
+ "Application Log: Application Log Content",
+ "Process: Process Creation"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json b/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json
index 285bd54901..71833ae1ec 100644
--- a/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json
+++ b/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json
@@ -1,37 +1,9 @@
{
"type": "bundle",
- "id": "bundle--a0f5866c-0fa9-4107-b505-0b330d59f639",
+ "id": "bundle--ebe6e2e7-049d-42fd-9527-1717b953d6f5",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:00.575Z",
- "name": "Point & Tag Identification",
- "description": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience. \n\nCollecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_contributors": [
- "Jos Wetzels - Midnight Blue"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Content",
- "Application Log: Application Log Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
"created": "2020-05-21T17:43:26.506Z",
@@ -51,6 +23,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:11.231Z",
+ "name": "Point & Tag Identification",
+ "description": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience. \n\nCollecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Jos Wetzels - Midnight Blue"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Content",
+ "Application Log: Application Log Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json b/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json
index 7071aa7de1..56c8fe4805 100644
--- a/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json
+++ b/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json
@@ -1,10 +1,25 @@
{
"type": "bundle",
- "id": "bundle--19e9d4e8-714c-42c4-b702-ea13e9b85e2a",
+ "id": "bundle--b1f2e0d8-910e-4237-87c7-24c4820939aa",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:00.768Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0816",
+ "external_id": "T0816"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:11.395Z",
"name": "Device Restart/Shutdown",
"description": "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.\n\nUnexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states.\n\nA device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "inhibit-response-function"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -30,21 +45,6 @@
"Application Log: Application Log Content",
"Operational Databases: Device Alarm",
"Network Traffic: Network Traffic Content"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0816",
- "external_id": "T0816"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json b/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json
index 5930da17db..fac85dd26c 100644
--- a/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json
+++ b/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json
@@ -1,10 +1,40 @@
{
"type": "bundle",
- "id": "bundle--a9feec49-ebb1-4706-bd37-ace35ef0372b",
+ "id": "bundle--c6b16db3-c0c0-4485-ba54-4dd1fb2d5c23",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:00.969Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0863",
+ "external_id": "T0863"
+ },
+ {
+ "source_name": "Booz Allen Hamilton",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
+ "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
+ },
+ {
+ "source_name": "Daavid Hentunen, Antti Tikkanen June 2014",
+ "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ",
+ "url": "https://www.f-secure.com/weblog/archives/00002718.html"
+ },
+ {
+ "source_name": "CISA AA21-201A Pipeline Intrusion July 2021",
+ "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ",
+ "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-15T19:58:15.054Z",
"name": "User Execution",
"description": "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. \n\nAdversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
"kill_chain_phases": [
@@ -13,7 +43,7 @@
"phase_name": "execution"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -32,36 +62,6 @@
"File: File Access",
"Process: Process Creation",
"Network Traffic: Network Traffic Content"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0863",
- "external_id": "T0863"
- },
- {
- "source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
- "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
- },
- {
- "source_name": "Daavid Hentunen, Antti Tikkanen June 2014",
- "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ",
- "url": "https://www.f-secure.com/weblog/archives/00002718.html"
- },
- {
- "source_name": "CISA AA21-201A Pipeline Intrusion July 2021",
- "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ",
- "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json b/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json
index ea5e708395..87efcff24f 100644
--- a/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json
+++ b/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json
@@ -1,38 +1,9 @@
{
"type": "bundle",
- "id": "bundle--6cdfa18b-c898-4779-bf8a-b8cc2a87f145",
+ "id": "bundle--aba9fcdf-a1db-46b3-a26c-fbf7dba101d1",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:01.165Z",
- "name": "Wireless Compromise",
- "description": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. \n\nA Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_contributors": [
- "Scott Dougherty"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "Logon Session: Logon Session Creation",
- "Application Log: Application Log Content",
- "Network Traffic: Network Traffic Flow"
- ],
"type": "attack-pattern",
"id": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
"created": "2020-05-21T17:43:26.506Z",
@@ -46,8 +17,8 @@
},
{
"source_name": "Alexander Bolshev March 2014",
- "description": "Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved. 2020/01/05 ",
- "url": "https://www.slideshare.net/dgpeters/17-bolshev-1-13"
+ "description": "Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved November 17, 2024. ",
+ "url": "https://www.slideshare.net/slideshow/17-bolshev-1-13/32178888"
},
{
"source_name": "Alexander Bolshev, Gleb Cherbov July 2014",
@@ -72,6 +43,35 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-15T19:58:15.610Z",
+ "name": "Wireless Compromise",
+ "description": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. \n\nA Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Scott Dougherty"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_data_sources": [
+ "Logon Session: Logon Session Creation",
+ "Application Log: Application Log Content",
+ "Network Traffic: Network Traffic Flow"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json b/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json
index b1cd035608..d866a81859 100644
--- a/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json
+++ b/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json
@@ -1,39 +1,9 @@
{
"type": "bundle",
- "id": "bundle--cd91c1f3-1f88-46a7-be42-496f327149b6",
+ "id": "bundle--c0896d18-2c40-48d5-802d-e437df646cc4",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:01.367Z",
- "name": "Change Operating Mode",
- "description": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "execution"
- },
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "evasion"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Content",
- "Application Log: Application Log Content",
- "Operational Databases: Device Alarm"
- ],
"type": "attack-pattern",
"id": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
"created": "2020-05-21T17:43:26.506Z",
@@ -68,6 +38,36 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:11.583Z",
+ "name": "Change Operating Mode",
+ "description": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "execution"
+ },
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "evasion"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Content",
+ "Application Log: Application Log Content",
+ "Operational Databases: Device Alarm"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json b/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json
index 14dfa45076..a1ab0c7768 100644
--- a/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json
+++ b/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json
@@ -1,10 +1,30 @@
{
"type": "bundle",
- "id": "bundle--bce5f51a-fa14-40f7-8210-e10fb1251a0c",
+ "id": "bundle--aa22e8ab-f486-4cfe-89ba-badd44bfba2f",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:01.578Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0878",
+ "external_id": "T0878"
+ },
+ {
+ "source_name": "Jos Wetzels, Marina Krotofil 2019",
+ "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ",
+ "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:11.789Z",
"name": "Alarm Suppression",
"description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.\n\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question: \n\n* An alarm raised by a protocol message \n* An alarm signaled with I/O \n* An alarm bit set in a flag (and read) \n\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.",
"kill_chain_phases": [
@@ -13,7 +33,7 @@
"phase_name": "inhibit-response-function"
}
],
- "x_mitre_attack_spec_version": "3.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Marina Krotofil",
"Jos Wetzels - Midnight Blue"
@@ -34,26 +54,6 @@
"Operational Databases: Process History/Live Data",
"Operational Databases: Device Alarm",
"Operational Databases: Process/Event Alarm"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0878",
- "external_id": "T0878"
- },
- {
- "source_name": "Jos Wetzels, Marina Krotofil 2019",
- "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ",
- "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json b/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json
index a2429f0bca..22d5a682ef 100644
--- a/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json
+++ b/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json
@@ -1,33 +1,9 @@
{
"type": "bundle",
- "id": "bundle--720b4a11-226e-4b3c-a821-d8ca5c34328a",
+ "id": "bundle--12fdf5a9-8f66-469a-a4f7-5c1117f49fd6",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:01.778Z",
- "name": "Detect Operating Mode",
- "description": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
"created": "2020-05-21T17:43:26.506Z",
@@ -62,6 +38,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:11.972Z",
+ "name": "Detect Operating Mode",
+ "description": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json b/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json
index 56bacf1c19..68d6db5286 100644
--- a/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json
+++ b/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json
@@ -1,30 +1,9 @@
{
"type": "bundle",
- "id": "bundle--e75082f3-3499-4800-bbce-f00dcd69147a",
+ "id": "bundle--5daec61b-37d9-44f4-8d0a-ebff3e02503f",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:01.994Z",
- "name": "Loss of Protection",
- "description": "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. \n\nMany faults and abnormal conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impact"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163",
"created": "2021-04-12T07:57:26.506Z",
@@ -39,7 +18,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:12.172Z",
+ "name": "Loss of Protection",
+ "description": "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. \n\nMany faults and abnormal conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json b/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json
index 90a8f8af40..4083eeda3a 100644
--- a/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json
+++ b/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json
@@ -1,31 +1,9 @@
{
"type": "bundle",
- "id": "bundle--dc8aabfd-619c-4893-9caf-45f896017c5c",
+ "id": "bundle--f2d0becc-0dfb-480d-b443-4403d5ac3663",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:02.197Z",
- "name": "Monitor Process State",
- "description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Content",
- "Application Log: Application Log Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
"created": "2020-05-21T17:43:26.506Z",
@@ -40,7 +18,29 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_is_subtechnique": false
+ "modified": "2025-04-16T21:26:12.337Z",
+ "name": "Monitor Process State",
+ "description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Content",
+ "Application Log: Application Log Content"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json b/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json
index 704c3c86e4..e9cc7826dd 100644
--- a/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json
+++ b/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json
@@ -1,10 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a2d15883-1d0f-4890-87c9-f859720708e2",
+ "id": "bundle--7154957a-a41f-4ba6-a0db-a8fe2b63c207",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:02.398Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0853",
+ "external_id": "T0853"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:12.511Z",
"name": "Scripting",
"description": "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. \n\nIn addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "execution"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -31,21 +46,6 @@
"Process: Process Metadata",
"Module: Module Load",
"Script: Script Execution"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0853",
- "external_id": "T0853"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json b/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json
index 2e2e8a6c44..90cfc4e68b 100644
--- a/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json
+++ b/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json
@@ -1,10 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ae9bc590-47b5-4aba-8450-812fa2ef3c20",
+ "id": "bundle--6f2b0fca-3d35-480d-bb56-900367da5e75",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:02.595Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
+ "created": "2021-04-13T12:45:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0888",
+ "external_id": "T0888"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:12.694Z",
"name": "Remote System Information Discovery",
"description": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. \n\nRequests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system's API.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "discovery"
}
],
- "x_mitre_attack_spec_version": "3.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -30,21 +45,6 @@
"Network Traffic: Network Traffic Content",
"File: File Access",
"Process: Process Creation"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
- "created": "2021-04-13T12:45:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0888",
- "external_id": "T0888"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json b/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json
index 510c77504a..05ab6a85c5 100644
--- a/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json
+++ b/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json
@@ -1,32 +1,9 @@
{
"type": "bundle",
- "id": "bundle--1f6b3ec0-1d24-472f-b19e-2caf2cde31e8",
+ "id": "bundle--de95fb0a-d9ab-404e-b012-8646cfaedcb0",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:02.785Z",
- "name": "Program Upload",
- "description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Content",
- "Network Traffic: Network Traffic Flow",
- "Application Log: Application Log Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
"created": "2020-05-21T17:43:26.506Z",
@@ -41,7 +18,30 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_is_subtechnique": false
+ "modified": "2025-04-16T21:26:12.867Z",
+ "name": "Program Upload",
+ "description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Content",
+ "Network Traffic: Network Traffic Flow",
+ "Application Log: Application Log Content"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json b/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json
index 0de5187a2b..a83abdcdcc 100644
--- a/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json
+++ b/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json
@@ -1,34 +1,9 @@
{
"type": "bundle",
- "id": "bundle--b8ddf62e-57aa-4707-9e2c-d81b8d026c84",
+ "id": "bundle--0b64dfe0-5e4d-4c38-8da6-cd1c0f5be920",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:02.990Z",
- "name": "Exploit Public-Facing Application",
- "description": "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.\n\nAn adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Application Log: Application Log Content",
- "Network Traffic: Network Traffic Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
"created": "2020-05-21T17:43:26.506Z",
@@ -43,6 +18,31 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:13.044Z",
+ "name": "Exploit Public-Facing Application",
+ "description": "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.\n\nAn adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Application Log: Application Log Content",
+ "Network Traffic: Network Traffic Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json b/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json
index 13cfd226b3..a2f12d50fa 100644
--- a/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json
+++ b/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json
@@ -1,35 +1,9 @@
{
"type": "bundle",
- "id": "bundle--635a831f-1e2c-4722-bdf7-359e141ec678",
+ "id": "bundle--291986f7-e770-44b4-b935-43d8525c550d",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:03.187Z",
- "name": "Data from Information Repositories",
- "description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)\n\nInformation collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.\n\nIn a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "Logon Session: Logon Session Creation",
- "Network Share: Network Share Access",
- "Application Log: Application Log Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,6 +28,32 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:13.205Z",
+ "name": "Data from Information Repositories",
+ "description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)\n\nInformation collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.\n\nIn a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_data_sources": [
+ "Logon Session: Logon Session Creation",
+ "Network Share: Network Share Access",
+ "Application Log: Application Log Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json b/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json
index 0f04452089..b952537313 100644
--- a/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json
+++ b/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json
@@ -1,10 +1,30 @@
{
"type": "bundle",
- "id": "bundle--706a3313-4d82-4731-af3d-c35de8bc256b",
+ "id": "bundle--852854f4-1065-422e-a52b-ecf07d60ee4b",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:03.395Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
+ "created": "2021-10-14T15:25:32.143Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0864",
+ "external_id": "T0864"
+ },
+ {
+ "source_name": "North American Electric Reliability Corporation June 2021",
+ "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ",
+ "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-15T19:58:21.226Z",
"name": "Transient Cyber Asset",
"description": "Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. \n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices. \n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems. ",
"kill_chain_phases": [
@@ -28,26 +48,6 @@
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Application Log: Application Log Content"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
- "created": "2021-10-14T15:25:32.143Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0864",
- "external_id": "T0864"
- },
- {
- "source_name": "North American Electric Reliability Corporation June 2021",
- "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ",
- "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json b/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json
index 28be9ea106..b32039ed6b 100644
--- a/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json
+++ b/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json
@@ -1,33 +1,9 @@
{
"type": "bundle",
- "id": "bundle--553287a0-f0a8-4d61-8481-09b99b9fb68a",
+ "id": "bundle--43977e83-ee05-4237-9322-4f8241b4de8e",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:03.589Z",
- "name": "Manipulate I/O Image",
- "description": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. \n\nOne of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "inhibit-response-function"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Asset: Software"
- ],
"type": "attack-pattern",
"id": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004",
"created": "2020-05-21T17:43:26.506Z",
@@ -41,8 +17,8 @@
},
{
"source_name": "Dr. Kelvin T. Erickson December 2010",
- "description": "Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 ",
- "url": "https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/"
+ "description": "Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved November 17, 2024.",
+ "url": "https://www.scribd.com/document/458637574/Programmable-Logic-Controllers"
},
{
"source_name": "Nanjundaiah, Vaidyanath",
@@ -52,6 +28,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-15T19:58:22.225Z",
+ "name": "Manipulate I/O Image",
+ "description": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. \n\nOne of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "inhibit-response-function"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Asset: Software"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json b/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json
index f988f39702..d7d40ac1ff 100644
--- a/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json
+++ b/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json
@@ -1,34 +1,9 @@
{
"type": "bundle",
- "id": "bundle--79752e46-017e-4c27-997e-0790f802dd84",
+ "id": "bundle--a25b7d42-ebb5-4cbc-a4ed-a8228a3c473f",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:03.783Z",
- "name": "Network Sniffing",
- "description": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information. \n\nAn adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. \n\nIn addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "discovery"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Process: Process Creation",
- "Command: Command Execution"
- ],
"type": "attack-pattern",
"id": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"created": "2020-05-21T17:43:26.506Z",
@@ -48,6 +23,31 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:13.380Z",
+ "name": "Network Sniffing",
+ "description": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information. \n\nAn adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. \n\nIn addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "discovery"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Process: Process Creation",
+ "Command: Command Execution"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json b/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json
index 3ad581d349..e583d81008 100644
--- a/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json
+++ b/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json
@@ -1,37 +1,9 @@
{
"type": "bundle",
- "id": "bundle--1f332081-fd16-4521-b9a8-9f3dfd729531",
+ "id": "bundle--a6c6ff04-05f5-4e38-b9c6-172c772de1ca",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:03.989Z",
- "name": "Rootkit",
- "description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) \n\nFirmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for the I/O that is attached to an asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "evasion"
- },
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "inhibit-response-function"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Firmware: Firmware Modification"
- ],
"type": "attack-pattern",
"id": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"created": "2020-05-21T17:43:26.506Z",
@@ -51,6 +23,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:13.542Z",
+ "name": "Rootkit",
+ "description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) \n\nFirmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for the I/O that is attached to an asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "evasion"
+ },
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "inhibit-response-function"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Firmware: Firmware Modification"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json b/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json
index a92363bfda..70e824971b 100644
--- a/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json
+++ b/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json
@@ -1,34 +1,9 @@
{
"type": "bundle",
- "id": "bundle--a39c0736-3814-493d-8ee9-59671932bca0",
+ "id": "bundle--cad665a0-d7fd-49c0-8417-2558d53d1721",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-04-05T16:34:58.587Z",
- "name": "Automated Collection",
- "description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Script: Script Execution",
- "Command: Command Execution",
- "File: File Access",
- "Network Traffic: Network Traffic Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
"created": "2020-05-21T17:43:26.506Z",
@@ -44,8 +19,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-15T19:58:24.843Z",
+ "name": "Automated Collection",
+ "description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Script: Script Execution",
+ "Command: Command Execution",
+ "File: File Access",
+ "Network Traffic: Network Traffic Content"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json b/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json
index 0cebcb1197..aec971a147 100644
--- a/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json
+++ b/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json
@@ -1,37 +1,9 @@
{
"type": "bundle",
- "id": "bundle--57aeafde-021f-4a0d-9d40-72f950dd57f5",
+ "id": "bundle--f9573cc1-e0f6-409c-962e-573df978f272",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:04.376Z",
- "name": "Block Reporting Message",
- "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "inhibit-response-function"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Operational Databases: Process/Event Alarm",
- "Process: Process Termination",
- "Application Log: Application Log Content",
- "Network Traffic: Network Traffic Flow",
- "Operational Databases: Process History/Live Data"
- ],
"type": "attack-pattern",
"id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
"created": "2020-05-21T17:43:26.506Z",
@@ -56,6 +28,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:13.771Z",
+ "name": "Block Reporting Message",
+ "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "inhibit-response-function"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Operational Databases: Process/Event Alarm",
+ "Process: Process Termination",
+ "Application Log: Application Log Content",
+ "Network Traffic: Network Traffic Flow",
+ "Operational Databases: Process History/Live Data"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json b/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json
index 88254b37fb..bd4f835c15 100644
--- a/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json
+++ b/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json
@@ -1,37 +1,9 @@
{
"type": "bundle",
- "id": "bundle--533244eb-f45e-46c7-9cf1-4c272d6a9500",
+ "id": "bundle--6df02c62-8cf5-4939-8b69-18997fb3d249",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:04.582Z",
- "name": "Unauthorized Command Message",
- "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impair-process-control"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "Operational Databases: Process History/Live Data",
- "Application Log: Application Log Content",
- "Network Traffic: Network Traffic Flow",
- "Operational Databases: Process/Event Alarm",
- "Network Traffic: Network Traffic Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
"created": "2020-05-21T17:43:26.506Z",
@@ -61,6 +33,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:13.939Z",
+ "name": "Unauthorized Command Message",
+ "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impair-process-control"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_data_sources": [
+ "Operational Databases: Process History/Live Data",
+ "Application Log: Application Log Content",
+ "Network Traffic: Network Traffic Flow",
+ "Operational Databases: Process/Event Alarm",
+ "Network Traffic: Network Traffic Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json b/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json
index 83c8166f8f..596e9dca60 100644
--- a/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json
+++ b/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json
@@ -1,39 +1,9 @@
{
"type": "bundle",
- "id": "bundle--1bdc3edd-17bd-43d4-83d8-daf594aa742e",
+ "id": "bundle--4fa08406-2946-4697-9bba-8f2d88527e94",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:04.784Z",
- "name": "Data Destruction",
- "description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "inhibit-response-function"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_contributors": [
- "Matan Dobrushin - Otorio"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "File: File Modification",
- "Process: Process Creation",
- "File: File Deletion",
- "Command: Command Execution"
- ],
"type": "attack-pattern",
"id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"created": "2020-05-21T17:43:26.506Z",
@@ -53,6 +23,36 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:14.108Z",
+ "name": "Data Destruction",
+ "description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "inhibit-response-function"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Matan Dobrushin - Otorio"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "File: File Modification",
+ "Process: Process Creation",
+ "File: File Deletion",
+ "Command: Command Execution"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json b/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json
index 98795fb132..b7b815d721 100644
--- a/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json
+++ b/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json
@@ -1,30 +1,9 @@
{
"type": "bundle",
- "id": "bundle--5c4da42c-f734-42b6-b5db-2285d7bdee96",
+ "id": "bundle--cdcb11fc-3cb4-47e4-bfd8-ecee63541d46",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:04.993Z",
- "name": "Manipulation of View",
- "description": "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nOperators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impact"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec",
"created": "2020-05-21T17:43:26.506Z",
@@ -43,8 +22,8 @@
},
{
"source_name": "Michael J. Assante and Robert M. Lee",
- "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ",
- "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"
+ "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
+ "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
},
{
"source_name": "Tyson Macaulay",
@@ -54,7 +33,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-15T19:58:29.210Z",
+ "name": "Manipulation of View",
+ "description": "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nOperators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json b/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json
index eb34e9930f..e8cddaf32b 100644
--- a/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json
+++ b/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json
@@ -1,34 +1,9 @@
{
"type": "bundle",
- "id": "bundle--3b005c8d-61dc-4d46-a0d6-157d5d939213",
+ "id": "bundle--f39bd2f2-9db6-414c-a880-1b3a3777a97b",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-05-08T20:13:24.241Z",
- "name": "Data Historian Compromise",
- "description": "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. \n\nDragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution. (Citation: Industroyer - Dragos - 201810) The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be \"expected to have extensive connections\" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.\n\nPermissions Required: Administrator\n\nContributors: Joe Slowik - Dragos",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_contributors": [
- "Joe Slowik - Dragos"
- ],
- "x_mitre_deprecated": true,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_permissions_required": [
- "Administrator"
- ],
"type": "attack-pattern",
"id": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064",
"created": "2020-05-21T17:43:26.506Z",
@@ -48,6 +23,28 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:51.727Z",
+ "name": "Data Historian Compromise",
+ "description": "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. \n\nDragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution. (Citation: Industroyer - Dragos - 201810) The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be \"expected to have extensive connections\" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.\n\nPermissions Required: Administrator\n\nContributors: Joe Slowik - Dragos",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Joe Slowik - Dragos"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json b/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json
index 5b78548a5f..3b9bf0cc2e 100644
--- a/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json
+++ b/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json
@@ -1,29 +1,9 @@
{
"type": "bundle",
- "id": "bundle--27b1a151-53d0-4567-8eeb-76c6c036c5ae",
+ "id": "bundle--85da482c-b831-4051-b333-486ead28f76f",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-05-08T20:13:24.241Z",
- "name": "Network Service Scanning",
- "description": "Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml specific port numbers], the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is [https://nmap.org/ Nmap].\n\nAn adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to .\n\nScanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "discovery"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": true,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Windows",
- "Field Controller/RTU/PLC/IED"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00",
"created": "2020-05-21T17:43:26.506Z",
@@ -38,6 +18,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:51.904Z",
+ "name": "Network Service Scanning",
+ "description": "Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml specific port numbers], the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is [https://nmap.org/ Nmap].\n\nAn adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to .\n\nScanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "discovery"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows",
+ "Field Controller/RTU/PLC/IED"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json b/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json
index 5825f3cd44..852d8dcb8f 100644
--- a/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json
+++ b/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json
@@ -1,37 +1,9 @@
{
"type": "bundle",
- "id": "bundle--b8192762-5f51-40fa-a5cd-bc6c258fe194",
+ "id": "bundle--86199163-b93e-466a-b9a2-5e1d09373077",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:05.190Z",
- "name": "Indicator Removal on Host",
- "description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "evasion"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Command: Command Execution",
- "Process: OS API Execution",
- "Windows Registry: Windows Registry Key Modification",
- "File: File Metadata",
- "Windows Registry: Windows Registry Key Deletion",
- "File: File Deletion",
- "File: File Modification",
- "Process: Process Creation"
- ],
"type": "attack-pattern",
"id": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"created": "2020-05-21T17:43:26.506Z",
@@ -46,7 +18,35 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_is_subtechnique": false
+ "modified": "2025-04-16T21:26:14.295Z",
+ "name": "Indicator Removal on Host",
+ "description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "evasion"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_data_sources": [
+ "Command: Command Execution",
+ "Process: OS API Execution",
+ "Windows Registry: Windows Registry Key Modification",
+ "File: File Metadata",
+ "Windows Registry: Windows Registry Key Deletion",
+ "File: File Deletion",
+ "File: File Modification",
+ "Process: Process Creation"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json b/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json
index e5e5892bbe..58e8e96905 100644
--- a/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json
+++ b/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json
@@ -1,33 +1,9 @@
{
"type": "bundle",
- "id": "bundle--faa10d6c-6bd5-4a61-a008-889e57071231",
+ "id": "bundle--a3ca25ad-ced3-4a57-a5e0-bed2cdb947db",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:05.375Z",
- "name": "I/O Image",
- "description": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.\n\nThe Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) \n\nAdversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Asset: Software"
- ],
"type": "attack-pattern",
"id": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204",
"created": "2020-05-21T17:43:26.506Z",
@@ -52,6 +28,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:14.462Z",
+ "name": "I/O Image",
+ "description": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.\n\nThe Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) \n\nAdversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Asset: Software"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json b/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json
index 9bba9a50a9..a4508e37da 100644
--- a/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json
+++ b/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json
@@ -1,30 +1,9 @@
{
"type": "bundle",
- "id": "bundle--96dc18b5-f6f5-4720-89e3-f8dbda8499a9",
+ "id": "bundle--d59e3a0c-1396-490f-ab55-0ecdec418a30",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:05.576Z",
- "name": "Denial of View",
- "description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAn adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. ",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impact"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
"type": "attack-pattern",
"id": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac",
"created": "2020-05-21T17:43:26.506Z",
@@ -43,8 +22,8 @@
},
{
"source_name": "Michael J. Assante and Robert M. Lee",
- "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ",
- "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"
+ "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
+ "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
},
{
"source_name": "Tyson Macaulay",
@@ -54,7 +33,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-15T19:58:33.142Z",
+ "name": "Denial of View",
+ "description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAn adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json b/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json
index 5847fa48ca..c51b95af95 100644
--- a/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json
+++ b/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json
@@ -1,33 +1,9 @@
{
"type": "bundle",
- "id": "bundle--69e547b8-a453-4f69-8080-b3ae4892938c",
+ "id": "bundle--889e1502-c9d0-4104-ad6c-f4ff6ec5e672",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:05.776Z",
- "name": "Execution through API",
- "description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "execution"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Process: OS API Execution"
- ],
"type": "attack-pattern",
"id": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
"created": "2020-05-21T17:43:26.506Z",
@@ -42,6 +18,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:14.643Z",
+ "name": "Execution through API",
+ "description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Process: OS API Execution"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json b/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json
index b0234e7186..7f9ae42e49 100644
--- a/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json
+++ b/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json
@@ -1,33 +1,9 @@
{
"type": "bundle",
- "id": "bundle--097b7c03-fddb-4a38-b5c9-29f34aff6f0f",
+ "id": "bundle--ab94c0aa-e315-4ed7-a8df-6a86222d8ecc",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:05.975Z",
- "name": "Supply Chain Compromise",
- "description": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. \n\nSupply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. \n\nCounterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. (Citation: Control Global May 2019) \n\nYokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. (Citation: Control Global May 2019) \n\nF-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "File: File Metadata"
- ],
"type": "attack-pattern",
"id": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"created": "2020-05-21T17:43:26.506Z",
@@ -52,6 +28,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:14.822Z",
+ "name": "Supply Chain Compromise",
+ "description": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. \n\nSupply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. \n\nCounterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. (Citation: Control Global May 2019) \n\nYokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. (Citation: Control Global May 2019) \n\nF-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "File: File Metadata"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json b/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json
index e7907edf2a..4adc680952 100644
--- a/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json
+++ b/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json
@@ -1,30 +1,9 @@
{
"type": "bundle",
- "id": "bundle--3461b521-8496-4888-8d37-2dd83eb2db82",
+ "id": "bundle--9255b87a-2a15-4e5a-83e5-5773ac59a8e4",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-05-08T20:13:24.241Z",
- "name": "Serial Connection Enumeration",
- "description": "Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.\n\nWhile IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "discovery"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": true,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Windows",
- "Input/Output Server",
- "Field Controller/RTU/PLC/IED"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55",
"created": "2020-05-21T17:43:26.506Z",
@@ -39,6 +18,27 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:52.087Z",
+ "name": "Serial Connection Enumeration",
+ "description": "Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.\n\nWhile IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "discovery"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows",
+ "Input/Output Server",
+ "Field Controller/RTU/PLC/IED"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json b/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json
index b5206fffbc..f2c4054e30 100644
--- a/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json
+++ b/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json
@@ -1,30 +1,9 @@
{
"type": "bundle",
- "id": "bundle--eb38914c-283d-43c9-bdb9-cfb535fb24e0",
+ "id": "bundle--f01dc995-36c5-41e6-a524-19a8122a3262",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:06.171Z",
- "name": "Loss of Safety",
- "description": "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. \n\nMany unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impact"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2",
"created": "2020-05-21T17:43:26.506Z",
@@ -39,7 +18,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:14.990Z",
+ "name": "Loss of Safety",
+ "description": "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. \n\nMany unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json b/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json
index 51c4d26523..960491ae0f 100644
--- a/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json
+++ b/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json
@@ -1,30 +1,9 @@
{
"type": "bundle",
- "id": "bundle--7ba93ba2-f891-411c-9c94-235052400dfd",
+ "id": "bundle--f2f5b59a-e53f-4acb-ac38-9238729b0fa3",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:06.362Z",
- "name": "Loss of Productivity and Revenue",
- "description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. \n\nIn cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences. \n\nA ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. (Citation: Paganini, Pierluigi June 2020) The company announced the potential for temporary shortages of their products following the attack. (Citation: Paganini, Pierluigi June 2020) (Citation: Lion Corporation June 2020) \n\nIn the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. (Citation: Colonial Pipeline Company May 2021)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impact"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,7 +33,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:15.157Z",
+ "name": "Loss of Productivity and Revenue",
+ "description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. \n\nIn cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences. \n\nA ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. (Citation: Paganini, Pierluigi June 2020) The company announced the potential for temporary shortages of their products following the attack. (Citation: Paganini, Pierluigi June 2020) (Citation: Lion Corporation June 2020) \n\nIn the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. (Citation: Colonial Pipeline Company May 2021)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json b/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json
index a3b38f5e0f..7c45886d39 100644
--- a/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json
+++ b/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json
@@ -1,36 +1,9 @@
{
"type": "bundle",
- "id": "bundle--b0ce9c57-5635-4dff-ae3f-8ab72b0f09c0",
+ "id": "bundle--133a6d06-ef69-4f88-974b-2bf7e5688bc1",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:06.577Z",
- "name": "Spearphishing Attachment",
- "description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Process: Process Creation",
- "File: File Creation",
- "Network Traffic: Network Traffic Content",
- "Application Log: Application Log Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
"created": "2020-05-21T17:43:26.506Z",
@@ -55,6 +28,33 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:15.346Z",
+ "name": "Spearphishing Attachment",
+ "description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Process: Process Creation",
+ "File: File Creation",
+ "Network Traffic: Network Traffic Content",
+ "Application Log: Application Log Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json b/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json
index eea4d2f681..5fd64bf062 100644
--- a/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json
+++ b/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json
@@ -1,29 +1,9 @@
{
"type": "bundle",
- "id": "bundle--c75b9124-9865-4a99-ba8a-2dab9ab6df16",
+ "id": "bundle--22469621-9b58-4ec6-9d66-d52cef9d56fc",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-05-08T20:13:24.241Z",
- "name": "Location Identification",
- "description": "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries (Citation: Guidance - NIST SP800-82). While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. \n\nAn adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": true,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Windows",
- "Control Server"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a",
"created": "2020-05-21T17:43:26.506Z",
@@ -43,6 +23,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:52.279Z",
+ "name": "Location Identification",
+ "description": "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries (Citation: Guidance - NIST SP800-82). While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. \n\nAn adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows",
+ "Control Server"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d.json b/ics-attack/attack-pattern/attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d.json
index ab20a9af25..0f3cb6bf46 100644
--- a/ics-attack/attack-pattern/attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d.json
+++ b/ics-attack/attack-pattern/attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d.json
@@ -1,29 +1,9 @@
{
"type": "bundle",
- "id": "bundle--41a7a6c0-6d76-407a-be72-2471f5b0d58f",
+ "id": "bundle--b4f560a0-3610-4229-9998-094af21dcb03",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-04-08T18:54:40.925Z",
- "name": "Autorun Image",
- "description": "Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor. \n\nAn example could include an adversary gaining access to a hypervisor through the management interface to modify a virtual machine\u2019s hardware configuration. They could then deploy an iso image with a malicious AutoRun script to cause the virtual machine to automatically execute the code contained on the disk image. This would enable the execution of malicious code within a virtual machine without needing any prior remote access to that system.\n",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "execution"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Drive: Drive Creation",
- "Process: Process Creation"
- ],
"type": "attack-pattern",
"id": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d",
"created": "2024-03-26T15:39:19.473Z",
@@ -39,8 +19,28 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-15T19:58:42.824Z",
+ "name": "Autorun Image",
+ "description": "Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor. \n\nAn example could include an adversary gaining access to a hypervisor through the management interface to modify a virtual machine\u2019s hardware configuration. They could then deploy an iso image with a malicious AutoRun script to cause the virtual machine to automatically execute the code contained on the disk image. This would enable the execution of malicious code within a virtual machine without needing any prior remote access to that system.\n",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "execution"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Drive: Drive Creation",
+ "Process: Process Creation"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json b/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json
index 06fecb4df1..3a27992996 100644
--- a/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json
+++ b/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json
@@ -1,37 +1,9 @@
{
"type": "bundle",
- "id": "bundle--c963a2d1-8b04-47db-bccc-324b0b9e0aa3",
+ "id": "bundle--2e5acb2b-5a1a-443e-8afd-d5550bf0408b",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:06.780Z",
- "name": "Drive-by Compromise",
- "description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. \n\nThe adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. \n\nThe National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Content",
- "Application Log: Application Log Content",
- "Process: Process Creation",
- "File: File Creation",
- "Network Traffic: Network Connection Creation"
- ],
"type": "attack-pattern",
"id": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
"created": "2020-05-21T17:43:26.506Z",
@@ -51,6 +23,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:15.525Z",
+ "name": "Drive-by Compromise",
+ "description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. \n\nThe adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. \n\nThe National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Content",
+ "Application Log: Application Log Content",
+ "Process: Process Creation",
+ "File: File Creation",
+ "Network Traffic: Network Connection Creation"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json b/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json
index c1476612d6..87422ba66d 100644
--- a/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json
+++ b/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json
@@ -1,30 +1,9 @@
{
"type": "bundle",
- "id": "bundle--71ddb84b-37fe-4c91-a30c-b701ce0a19b5",
+ "id": "bundle--f9ac335c-7037-4da7-ba5b-851549cc9d88",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:06.993Z",
- "name": "Damage to Property",
- "description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). \n\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impact"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
"type": "attack-pattern",
"id": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916",
"created": "2020-05-21T17:43:26.506Z",
@@ -59,7 +38,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:15.731Z",
+ "name": "Damage to Property",
+ "description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). \n\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json b/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json
index bc8da2bc08..5110a90320 100644
--- a/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json
+++ b/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json
@@ -1,40 +1,9 @@
{
"type": "bundle",
- "id": "bundle--9778118e-2f53-43ff-9aab-2381e6a13a6b",
+ "id": "bundle--09810e3d-9321-4126-8d77-fd62c6af61b3",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:07.260Z",
- "name": "Spoof Reporting Message",
- "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "evasion"
- },
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impair-process-control"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Flow",
- "Operational Databases: Device Alarm",
- "Windows Registry: Windows Registry Key Modification",
- "Network Traffic: Network Traffic Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,6 +23,37 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:15.909Z",
+ "name": "Spoof Reporting Message",
+ "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "evasion"
+ },
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impair-process-control"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Flow",
+ "Operational Databases: Device Alarm",
+ "Windows Registry: Windows Registry Key Modification",
+ "Network Traffic: Network Traffic Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json b/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json
index 085a899c94..1dde061c7b 100644
--- a/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json
+++ b/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json
@@ -1,38 +1,9 @@
{
"type": "bundle",
- "id": "bundle--0eb75fb4-a17a-4c56-a8bf-55a615252a32",
+ "id": "bundle--5a6e7c21-f5c0-4446-871b-68e8a846db0d",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:07.457Z",
- "name": "Exploitation of Remote Services",
- "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)\n\nICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- },
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "lateral-movement"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Application Log: Application Log Content",
- "Network Traffic: Network Traffic Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"created": "2020-05-21T17:43:26.506Z",
@@ -57,6 +28,35 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:16.054Z",
+ "name": "Exploitation of Remote Services",
+ "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)\n\nICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ },
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "lateral-movement"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Application Log: Application Log Content",
+ "Network Traffic: Network Traffic Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json b/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json
index 5beb49bb8e..d6e541c437 100644
--- a/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json
+++ b/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json
@@ -1,34 +1,9 @@
{
"type": "bundle",
- "id": "bundle--ef7d5cac-fb78-49be-8f04-577bc15d4227",
+ "id": "bundle--06e4dd29-284c-4335-9a90-75e2ede9d0cc",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:07.653Z",
- "name": "Default Credentials",
- "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "lateral-movement"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Content",
- "Logon Session: Logon Session Creation"
- ],
"type": "attack-pattern",
"id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"created": "2020-05-21T17:43:26.506Z",
@@ -48,6 +23,31 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:16.206Z",
+ "name": "Default Credentials",
+ "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "lateral-movement"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Content",
+ "Logon Session: Logon Session Creation"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json b/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json
index ff90397648..a469d0d0d2 100644
--- a/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json
+++ b/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json
@@ -1,35 +1,9 @@
{
"type": "bundle",
- "id": "bundle--4457a531-7d9f-4cf5-b8cd-e3c450cafaf5",
+ "id": "bundle--2f4dddd5-c441-43da-807b-553123e760f2",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:07.840Z",
- "name": "External Remote Services",
- "description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)\n\nExternal remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. \n\nAs they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Flow",
- "Logon Session: Logon Session Metadata",
- "Application Log: Application Log Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,6 +28,32 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:16.385Z",
+ "name": "External Remote Services",
+ "description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)\n\nExternal remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. \n\nAs they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Flow",
+ "Logon Session: Logon Session Metadata",
+ "Application Log: Application Log Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json b/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json
index 25670013d6..2c8958dd53 100644
--- a/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json
+++ b/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json
@@ -1,10 +1,25 @@
{
"type": "bundle",
- "id": "bundle--acaaabcd-008e-487b-8a1a-a831f833ee6f",
+ "id": "bundle--a5553ade-d94c-4347-a66d-d34d4cb5fd1c",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:08.037Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0806",
+ "external_id": "T0806"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:16.573Z",
"name": "Brute Force I/O",
"description": "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. \n\nAdversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "impair-process-control"
}
],
- "x_mitre_attack_spec_version": "3.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -29,21 +44,6 @@
"Operational Databases: Process History/Live Data",
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Content"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0806",
- "external_id": "T0806"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json b/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json
index 2821776d45..7d15f68943 100644
--- a/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json
+++ b/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json
@@ -1,29 +1,9 @@
{
"type": "bundle",
- "id": "bundle--836f70fb-3693-45e5-bd37-ee84259490e6",
+ "id": "bundle--a068261e-2bcd-4b59-bb4f-c77aff423c2d",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-05-08T20:13:24.241Z",
- "name": "Detect Program State",
- "description": "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": true,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Windows",
- "Field Controller/RTU/PLC/IED"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541",
"created": "2020-05-21T17:43:26.506Z",
@@ -38,6 +18,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:52.452Z",
+ "name": "Detect Program State",
+ "description": "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows",
+ "Field Controller/RTU/PLC/IED"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json b/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json
index ca0009af75..f6ae7780cc 100644
--- a/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json
+++ b/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json
@@ -1,41 +1,9 @@
{
"type": "bundle",
- "id": "bundle--9cc252d5-879d-4c78-821a-5a4b1217fd0a",
+ "id": "bundle--1275136c-cc4a-4c29-a4c7-4d26173d592e",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:08.233Z",
- "name": "Adversary-in-the-Middle",
- "description": "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAn AiTM attack may allow an adversary to perform the following attacks: \n[Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_contributors": [
- "Conrad Layne - GE Digital"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "2.0",
- "x_mitre_data_sources": [
- "Windows Registry: Windows Registry Key Modification",
- "Process: Process Creation",
- "Network Traffic: Network Traffic Flow",
- "Service: Service Creation",
- "Network Traffic: Network Traffic Content",
- "Application Log: Application Log Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"created": "2020-05-21T17:43:26.506Z",
@@ -60,6 +28,38 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:16.777Z",
+ "name": "Adversary-in-the-Middle",
+ "description": "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAn AiTM attack may allow an adversary to perform the following attacks: \n[Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Conrad Layne - GE Digital"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_data_sources": [
+ "Windows Registry: Windows Registry Key Modification",
+ "Process: Process Creation",
+ "Network Traffic: Network Traffic Flow",
+ "Service: Service Creation",
+ "Network Traffic: Network Traffic Content",
+ "Application Log: Application Log Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json b/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json
index 4e3ec28664..8dd55145a0 100644
--- a/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json
+++ b/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json
@@ -1,33 +1,9 @@
{
"type": "bundle",
- "id": "bundle--1be9e353-003b-4ebd-aaa0-dd2a964831a1",
+ "id": "bundle--93700baa-0b76-4e23-bccc-1674d1d3ef78",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:08.425Z",
- "name": "Exploitation for Evasion",
- "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. \n\nAdversaries may have prior knowledge through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888) about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious [System Firmware](https://attack.mitre.org/techniques/T0857).",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "evasion"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Application Log: Application Log Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"created": "2020-05-21T17:43:26.506Z",
@@ -42,6 +18,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:16.960Z",
+ "name": "Exploitation for Evasion",
+ "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. \n\nAdversaries may have prior knowledge through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888) about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious [System Firmware](https://attack.mitre.org/techniques/T0857).",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "evasion"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Application Log: Application Log Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json b/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json
index 63e6b4dc7c..7761a69f91 100644
--- a/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json
+++ b/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json
@@ -1,33 +1,9 @@
{
"type": "bundle",
- "id": "bundle--d62a83c9-711a-4a21-b1c7-fa75765acd3d",
+ "id": "bundle--aeaf45e6-04a8-44e3-a5ef-eca159afc5d3",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:08.613Z",
- "name": "Loss of Control",
- "description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.(Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impact"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_contributors": [
- "Dragos Threat Intelligence"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb",
"created": "2020-05-21T17:43:26.506Z",
@@ -51,8 +27,8 @@
},
{
"source_name": "Michael J. Assante and Robert M. Lee",
- "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ",
- "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"
+ "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
+ "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
},
{
"source_name": "Tyson Macaulay",
@@ -62,7 +38,31 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-15T19:58:56.356Z",
+ "name": "Loss of Control",
+ "description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.(Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Dragos Threat Intelligence"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json b/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json
index 4fc0f78da5..6409fb0d6a 100644
--- a/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json
+++ b/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json
@@ -1,32 +1,9 @@
{
"type": "bundle",
- "id": "bundle--5e9fb575-f0b6-4cfe-8b9f-5fb3ddc21d73",
+ "id": "bundle--be6a2f77-2ba2-4e09-8b5b-9a4070996566",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-05-08T20:13:24.241Z",
- "name": "Change Program State",
- "description": "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "execution"
- },
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impair-process-control"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": true,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Field Controller/RTU/PLC/IED"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a",
"created": "2020-05-21T17:43:26.506Z",
@@ -41,6 +18,29 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:52.634Z",
+ "name": "Change Program State",
+ "description": "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "execution"
+ },
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impair-process-control"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Field Controller/RTU/PLC/IED"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json b/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json
index 4c2c5d190c..87112cc7df 100644
--- a/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json
+++ b/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json
@@ -1,38 +1,9 @@
{
"type": "bundle",
- "id": "bundle--ba34e62b-16a5-495f-8e36-e8964fc532e1",
+ "id": "bundle--fcf7814d-9410-4862-b7f3-14423fe847e0",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:08.803Z",
- "name": "Hooking",
- "description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)\n\nOne type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "execution"
- },
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "privilege-escalation"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "Process: OS API Execution",
- "Process: Process Metadata"
- ],
"type": "attack-pattern",
"id": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"created": "2020-05-21T17:43:26.506Z",
@@ -51,12 +22,41 @@
},
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-15T19:58:56.978Z",
+ "name": "Hooking",
+ "description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)\n\nOne type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "execution"
+ },
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_data_sources": [
+ "Process: OS API Execution",
+ "Process: Process Metadata"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json b/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json
index 97056286cb..6ada9ce884 100644
--- a/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json
+++ b/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json
@@ -1,29 +1,9 @@
{
"type": "bundle",
- "id": "bundle--5976f235-f6c2-4317-9336-c9f82cbf1ee0",
+ "id": "bundle--19a2cab1-f790-4aab-b40e-9512a3e31248",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-05-08T20:13:24.241Z",
- "name": "Control Device Identification",
- "description": "Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "discovery"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": true,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Windows",
- "Field Controller/RTU/PLC/IED"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45",
"created": "2020-05-21T17:43:26.506Z",
@@ -38,6 +18,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:52.814Z",
+ "name": "Control Device Identification",
+ "description": "Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "discovery"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows",
+ "Field Controller/RTU/PLC/IED"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json b/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json
index f69dbe0290..03da91c59c 100644
--- a/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json
+++ b/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json
@@ -1,34 +1,9 @@
{
"type": "bundle",
- "id": "bundle--1378f390-6553-47b7-ad1b-f1004f132303",
+ "id": "bundle--ea243e47-3870-44e7-8203-1014dac65620",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-05-08T20:13:24.241Z",
- "name": "Program Organization Units",
- "description": "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)\n \nStuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected (Citation: Stuxnet - Symantec - 201102):\n*Increase the size of the original block.\n*Write malicious code to the beginning of the block.\n*Insert the original OB1 code after the malicious code.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "lateral-movement"
- },
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "execution"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": true,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Windows",
- "Safety Instrumented System/Protection Relay",
- "Field Controller/RTU/PLC/IED"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7",
"created": "2020-05-21T17:43:26.506Z",
@@ -58,6 +33,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:53.005Z",
+ "name": "Program Organization Units",
+ "description": "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)\n \nStuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected (Citation: Stuxnet - Symantec - 201102):\n*Increase the size of the original block.\n*Write malicious code to the beginning of the block.\n*Insert the original OB1 code after the malicious code.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "lateral-movement"
+ },
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows",
+ "Safety Instrumented System/Protection Relay",
+ "Field Controller/RTU/PLC/IED"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json b/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json
index ae28019830..a74c53b8fd 100644
--- a/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json
+++ b/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json
@@ -1,10 +1,25 @@
{
"type": "bundle",
- "id": "bundle--23145bc2-d7b8-4bc8-a10c-63caf3bfba5e",
+ "id": "bundle--b4150f22-af9d-4a46-95e1-39a1e1f6f15a",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:08.992Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0823",
+ "external_id": "T0823"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:17.144Z",
"name": "Graphical User Interface",
"description": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.\n\nIf physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "execution"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -30,21 +45,6 @@
"Command: Command Execution",
"Module: Module Load",
"Logon Session: Logon Session Creation"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0823",
- "external_id": "T0823"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json b/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json
index 744e852e86..093da4e570 100644
--- a/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json
+++ b/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json
@@ -1,37 +1,9 @@
{
"type": "bundle",
- "id": "bundle--b632423d-92b3-497a-8aa2-629d6c076f3c",
+ "id": "bundle--d8908504-795d-44b3-bf0d-aa620b946956",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:09.193Z",
- "name": "Rogue Master",
- "description": "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. \n\nIn the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "Asset: Asset Inventory",
- "Network Traffic: Network Traffic Flow",
- "Operational Databases: Device Alarm",
- "Network Traffic: Network Traffic Content",
- "Application Log: Application Log Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
"created": "2020-05-21T17:43:26.506Z",
@@ -56,6 +28,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:17.326Z",
+ "name": "Rogue Master",
+ "description": "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. \n\nIn the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_data_sources": [
+ "Asset: Asset Inventory",
+ "Network Traffic: Network Traffic Flow",
+ "Operational Databases: Device Alarm",
+ "Network Traffic: Network Traffic Content",
+ "Application Log: Application Log Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json b/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json
index 8c9a77d88c..cf4b67e228 100644
--- a/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json
+++ b/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json
@@ -1,33 +1,9 @@
{
"type": "bundle",
- "id": "bundle--4972b7e0-c17d-4a0f-af4c-a7aaa5ad26af",
+ "id": "bundle--48d4bf79-47bc-46e7-ab38-be3dd6aa9f07",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:09.388Z",
- "name": "Native API",
- "description": "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. \n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "execution"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Process: OS API Execution"
- ],
"type": "attack-pattern",
"id": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"created": "2021-04-13T12:36:26.506Z",
@@ -47,6 +23,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:17.499Z",
+ "name": "Native API",
+ "description": "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. \n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "execution"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Process: OS API Execution"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json b/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json
index e3f6d0cf2f..0d4113320a 100644
--- a/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json
+++ b/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json
@@ -1,30 +1,9 @@
{
"type": "bundle",
- "id": "bundle--2fa63742-4411-4571-8bed-28bca022962b",
+ "id": "bundle--5f9329b1-46b1-4ba0-9b56-90b3135a2fa7",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:09.581Z",
- "name": "Loss of Availability",
- "description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAdversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.\n\nIn the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. (Citation: Colonial Pipeline Company May 2021)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impact"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95",
"created": "2020-05-21T17:43:26.506Z",
@@ -48,8 +27,8 @@
},
{
"source_name": "Michael J. Assante and Robert M. Lee",
- "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ",
- "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"
+ "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
+ "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
},
{
"source_name": "Tyson Macaulay",
@@ -59,7 +38,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-15T19:59:00.088Z",
+ "name": "Loss of Availability",
+ "description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAdversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.\n\nIn the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. (Citation: Colonial Pipeline Company May 2021)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json b/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json
index 3efc00974c..5c256581a7 100644
--- a/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json
+++ b/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json
@@ -1,27 +1,9 @@
{
"type": "bundle",
- "id": "bundle--ffb06f32-b4e5-4077-8c43-a7600cd41892",
+ "id": "bundle--ae21e6de-3a21-4dfb-ba97-5818b2e38425",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:09.780Z",
- "name": "Theft of Operational Information",
- "description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impact"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54",
"created": "2020-05-21T17:43:26.506Z",
@@ -46,6 +28,24 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T21:26:17.698Z",
+ "name": "Theft of Operational Information",
+ "description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json b/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json
index 3055737523..3db318ab5d 100644
--- a/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json
+++ b/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json
@@ -1,40 +1,9 @@
{
"type": "bundle",
- "id": "bundle--f2d4acb1-93ef-4dd4-891c-78bfedc23a1f",
+ "id": "bundle--32ab5228-b389-4925-b7f1-4dd98e2cba1c",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:09.988Z",
- "name": "System Firmware",
- "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "persistence"
- },
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "inhibit-response-function"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Operational Databases: Device Alarm",
- "Application Log: Application Log Content",
- "Firmware: Firmware Modification",
- "Network Traffic: Network Traffic Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,6 +23,37 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:17.862Z",
+ "name": "System Firmware",
+ "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "inhibit-response-function"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Operational Databases: Device Alarm",
+ "Application Log: Application Log Content",
+ "Firmware: Firmware Modification",
+ "Network Traffic: Network Traffic Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json b/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json
index 0f78e24170..62c5c428f5 100644
--- a/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json
+++ b/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json
@@ -1,10 +1,25 @@
{
"type": "bundle",
- "id": "bundle--83486cc8-a5fa-4057-aca0-3a32c79d44b7",
+ "id": "bundle--e8170aeb-4be4-440b-bb34-82b9535b4139",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:10.181Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0849",
+ "external_id": "T0849"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:18.036Z",
"name": "Masquerading",
"description": "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. \n\nApplications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "evasion"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -34,21 +49,6 @@
"Service: Service Modification",
"File: File Metadata",
"Scheduled Job: Scheduled Job Creation"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0849",
- "external_id": "T0849"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json b/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json
index 531ff6a4eb..05bc120e5b 100644
--- a/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json
+++ b/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json
@@ -1,10 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5c1cc0ff-bdfd-4d8e-b01a-eae1f7e66076",
+ "id": "bundle--2614ea9c-4934-4cbf-8be3-1c13bf46f055",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:10.374Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0843",
+ "external_id": "T0843"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:18.212Z",
"name": "Program Download",
"description": "Adversaries may perform a program download to transfer a user program to a controller. \n\nVariations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download.\n\nThe granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space. \n\n[Modify Controller Tasking](https://attack.mitre.org/techniques/T0821) and [Modify Program](https://attack.mitre.org/techniques/T0889) represent the configuration changes that are transferred to a controller via a program download.",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "lateral-movement"
}
],
- "x_mitre_attack_spec_version": "3.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -30,21 +45,6 @@
"Network Traffic: Network Traffic Content",
"Asset: Asset Inventory",
"Application Log: Application Log Content"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0843",
- "external_id": "T0843"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json b/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json
index a1a9338c56..dfe68040e7 100644
--- a/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json
+++ b/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json
@@ -1,36 +1,9 @@
{
"type": "bundle",
- "id": "bundle--44ed6ffd-b66f-4bc1-8505-1f8a96211f29",
+ "id": "bundle--b5c26b72-55cc-4f16-8c39-e118dbdd9223",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:10.581Z",
- "name": "Replication Through Removable Media",
- "description": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. \n\nOperators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. (Citation: Kernkraftwerk Gundremmingen April 2016) (Citation: Trend Micro April 2016) The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. (Citation: Christoph Steitz, Eric Auchard April 2016) (Citation: Catalin Cimpanu April 2016) (Citation: Peter Dockrill April 2016) (Citation: Lee Mathews April 2016) (Citation: Sean Gallagher April 2016) (Citation: Dark Reading Staff April 2016) The plant has since checked for infection and cleaned up more than 1,000 computers. (Citation: BBC April 2016) An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. (Citation: ESET April 2016)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Process: Process Creation",
- "File: File Creation",
- "Drive: Drive Creation",
- "File: File Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"created": "2020-05-21T17:43:26.506Z",
@@ -74,8 +47,8 @@
},
{
"source_name": "Lee Mathews April 2016",
- "description": "Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses Retrieved. 2019/10/14 ",
- "url": "https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/"
+ "description": "Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses. Retrieved November 17, 2024. ",
+ "url": "https://web.archive.org/web/20160430041256/https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/"
},
{
"source_name": "Peter Dockrill April 2016",
@@ -95,6 +68,33 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-15T19:59:04.946Z",
+ "name": "Replication Through Removable Media",
+ "description": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. \n\nOperators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. (Citation: Kernkraftwerk Gundremmingen April 2016) (Citation: Trend Micro April 2016) The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. (Citation: Christoph Steitz, Eric Auchard April 2016) (Citation: Catalin Cimpanu April 2016) (Citation: Peter Dockrill April 2016) (Citation: Lee Mathews April 2016) (Citation: Sean Gallagher April 2016) (Citation: Dark Reading Staff April 2016) The plant has since checked for infection and cleaned up more than 1,000 computers. (Citation: BBC April 2016) An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. (Citation: ESET April 2016)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Process: Process Creation",
+ "File: File Creation",
+ "Drive: Drive Creation",
+ "File: File Access"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json b/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json
index 4ab4b6e4f4..9349c95dc8 100644
--- a/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json
+++ b/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json
@@ -1,31 +1,9 @@
{
"type": "bundle",
- "id": "bundle--a570b71e-8b82-4865-a1f4-cc6f1a1e5173",
+ "id": "bundle--6c373f47-49c5-4f8e-b889-3e4f980fada6",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:10.768Z",
- "name": "Screen Capture",
- "description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Command: Command Execution",
- "Process: OS API Execution"
- ],
"type": "attack-pattern",
"id": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377",
"created": "2020-05-21T17:43:26.506Z",
@@ -45,7 +23,29 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_is_subtechnique": false
+ "modified": "2025-04-16T21:26:18.404Z",
+ "name": "Screen Capture",
+ "description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_data_sources": [
+ "Command: Command Execution",
+ "Process: OS API Execution"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json b/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json
index 34e708e4be..2f72c668f2 100644
--- a/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json
+++ b/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json
@@ -1,10 +1,25 @@
{
"type": "bundle",
- "id": "bundle--02b8f3c5-2a3a-4352-9a3b-33aaa84273f8",
+ "id": "bundle--00ddd774-5dc8-4b38-8a17-e8b6bbd5c699",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:10.962Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a",
+ "created": "2022-09-29T13:35:38.589Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0891",
+ "external_id": "T0891"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:18.583Z",
"name": "Hardcoded Credentials",
"description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset. \n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets. \n",
"kill_chain_phases": [
@@ -17,7 +32,7 @@
"phase_name": "persistence"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Aagam Shah, @neutrinoguy, ABB"
],
@@ -35,21 +50,6 @@
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Logon Session: Logon Session Creation"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a",
- "created": "2022-09-29T13:35:38.589Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0891",
- "external_id": "T0891"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json b/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json
index 26cbb02ff3..fc3a46511a 100644
--- a/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json
+++ b/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json
@@ -1,10 +1,30 @@
{
"type": "bundle",
- "id": "bundle--166ab5b2-be5f-4c56-8151-2918c3ba7586",
+ "id": "bundle--40df16fb-ef03-4283-a207-a5b7d9b7b671",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:11.152Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0859",
+ "external_id": "T0859"
+ },
+ {
+ "source_name": "Booz Allen Hamilton",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
+ "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-15T19:59:08.866Z",
"name": "Valid Accounts",
"description": "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. \n\nAdversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.",
"kill_chain_phases": [
@@ -17,7 +37,7 @@
"phase_name": "lateral-movement"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
@@ -33,26 +53,6 @@
"User Account: User Account Authentication",
"Logon Session: Logon Session Creation",
"Logon Session: Logon Session Metadata"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0859",
- "external_id": "T0859"
- },
- {
- "source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
- "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json b/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json
index 00899179c7..2825a3ec5e 100644
--- a/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json
+++ b/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json
@@ -1,33 +1,9 @@
{
"type": "bundle",
- "id": "bundle--f3afcc6e-b21d-48d8-bdc8-cddc2211fb60",
+ "id": "bundle--a3b0d9d7-ae47-400e-8ee1-77e5365758b2",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:11.342Z",
- "name": "Exploitation for Privilege Escalation",
- "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation) \n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. (Citation: The MITRE Corporation)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "privilege-escalation"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Application Log: Application Log Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"created": "2021-04-13T12:08:26.506Z",
@@ -47,6 +23,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:18.792Z",
+ "name": "Exploitation for Privilege Escalation",
+ "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation) \n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. (Citation: The MITRE Corporation)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "privilege-escalation"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Application Log: Application Log Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json b/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json
index 2c4e1af87a..99c3a6c5a4 100644
--- a/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json
+++ b/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json
@@ -1,36 +1,9 @@
{
"type": "bundle",
- "id": "bundle--24adbeb1-e300-473e-88e7-6aadcb9a249b",
+ "id": "bundle--2bd4cef1-641a-4722-887d-f261b9efc449",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:11.536Z",
- "name": "Remote System Discovery",
- "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "discovery"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "File: File Access",
- "Process: Process Creation",
- "Network Traffic: Network Traffic Content",
- "Network Traffic: Network Traffic Flow"
- ],
"type": "attack-pattern",
"id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"created": "2020-05-21T17:43:26.506Z",
@@ -50,6 +23,33 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:18.958Z",
+ "name": "Remote System Discovery",
+ "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "discovery"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "File: File Access",
+ "Process: Process Creation",
+ "Network Traffic: Network Traffic Content",
+ "Network Traffic: Network Traffic Flow"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json b/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json
index 85b944deac..a6f29cf788 100644
--- a/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json
+++ b/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json
@@ -1,31 +1,9 @@
{
"type": "bundle",
- "id": "bundle--555c450b-727a-4e31-aa9c-067499ffdd4f",
+ "id": "bundle--a8c31a6a-a4f4-4ba3-b2e6-2527461702d5",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-05-08T20:13:24.241Z",
- "name": "Engineering Workstation Compromise",
- "description": "Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_contributors": [
- "Joe Slowik - Dragos"
- ],
- "x_mitre_deprecated": true,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Engineering Workstation"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73",
"created": "2020-05-21T17:43:26.506Z",
@@ -40,6 +18,28 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:53.188Z",
+ "name": "Engineering Workstation Compromise",
+ "description": "Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Joe Slowik - Dragos"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Engineering Workstation"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json b/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json
index 42f2d55946..bbec409cbf 100644
--- a/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json
+++ b/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json
@@ -1,34 +1,9 @@
{
"type": "bundle",
- "id": "bundle--23de2ce1-2cf0-4574-a9bd-68236905a71f",
+ "id": "bundle--5e811156-2755-4ff1-a0c7-20301dd4df2a",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:11.730Z",
- "name": "Connection Proxy",
- "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.\n\nThe definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.\n\nThe network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. (Citation: Enterprise ATT&CK January 2018)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "command-and-control"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Content",
- "Network Traffic: Network Traffic Flow"
- ],
"type": "attack-pattern",
"id": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"created": "2020-05-21T17:43:26.506Z",
@@ -48,6 +23,31 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:19.127Z",
+ "name": "Connection Proxy",
+ "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.\n\nThe definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.\n\nThe network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. (Citation: Enterprise ATT&CK January 2018)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "command-and-control"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Content",
+ "Network Traffic: Network Traffic Flow"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json b/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json
index d6c7e9523b..b974dc1d97 100644
--- a/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json
+++ b/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json
@@ -1,31 +1,9 @@
{
"type": "bundle",
- "id": "bundle--97265cde-e124-4fab-9c18-10f26de60ea4",
+ "id": "bundle--6267d0ac-b0a0-4180-8621-08100653ac52",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:11.924Z",
- "name": "Standard Application Layer Protocol",
- "description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "command-and-control"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Flow",
- "Network Traffic: Network Traffic Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"created": "2020-05-21T17:43:26.506Z",
@@ -40,7 +18,29 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_is_subtechnique": false
+ "modified": "2025-04-16T21:26:19.328Z",
+ "name": "Standard Application Layer Protocol",
+ "description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "command-and-control"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Flow",
+ "Network Traffic: Network Traffic Content"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json b/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json
index 1e59e04f3d..a6cc531482 100644
--- a/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json
+++ b/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json
@@ -1,36 +1,13 @@
{
"type": "bundle",
- "id": "bundle--adb91bed-2695-436a-9cb2-446823316620",
+ "id": "bundle--9182bcd0-390c-4b43-bf01-5cf9ad28e4c9",
"spec_version": "2.0",
"objects": [
{
- "x_mitre_platforms": [
- "Safety Instrumented System/Protection Relay",
- "Field Controller/RTU/PLC/IED"
- ],
- "x_mitre_domains": [
- "ics-attack"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "attack-pattern",
"id": "attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-05-21T17:43:26.506Z",
- "modified": "2022-05-06T17:47:24.401Z",
- "name": "Modify Control Logic",
- "description": "Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. \n\nProgram code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active.\n\nAn adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools.\n\nAn adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. \n\nIt is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the \u201creal\u201d pressure is for given analog signals and then automatically linearize the measurement to what would be the \u201creal\u201d pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be \u201ccorrected\u201d during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. (Citation: Stuxnet - Langner - 201311)\n\nIn the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. (Citation: Maroochy - MITRE - 200808)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impair-process-control"
- },
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "inhibit-response-function"
- }
- ],
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-ics-attack",
@@ -48,9 +25,32 @@
"url": "https://www.mitre.org/sites/default/files/pdf/08%201145.pdf"
}
],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T18:00:53.367Z",
+ "name": "Modify Control Logic",
+ "description": "Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. \n\nProgram code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active.\n\nAn adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools.\n\nAn adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. \n\nIt is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the \u201creal\u201d pressure is for given analog signals and then automatically linearize the measurement to what would be the \u201creal\u201d pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be \u201ccorrected\u201d during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. (Citation: Stuxnet - Langner - 201311)\n\nIn the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. (Citation: Maroochy - MITRE - 200808)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impair-process-control"
+ },
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "inhibit-response-function"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_deprecated": true,
- "x_mitre_attack_spec_version": "2.1.0",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Safety Instrumented System/Protection Relay",
+ "Field Controller/RTU/PLC/IED"
+ ],
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
diff --git a/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json b/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json
index 122a317723..7fba5a425a 100644
--- a/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json
+++ b/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json
@@ -1,46 +1,9 @@
{
"type": "bundle",
- "id": "bundle--966d9296-9c5a-451d-8873-b85f04581261",
+ "id": "bundle--d02b7fc2-e53a-4dfe-a822-0d6f1e6de02c",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:12.125Z",
- "name": "Remote Services",
- "description": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) \n\nRemote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859).\n\nSpecific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software.\n\nBased on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- },
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "lateral-movement"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_contributors": [
- "Daisuke Suzuki"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Flow",
- "Module: Module Load",
- "Logon Session: Logon Session Creation",
- "Process: Process Creation",
- "Command: Command Execution",
- "Network Traffic: Network Connection Creation",
- "Network Share: Network Share Access"
- ],
"type": "attack-pattern",
"id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
"created": "2021-04-12T19:26:26.506Z",
@@ -75,6 +38,43 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:19.525Z",
+ "name": "Remote Services",
+ "description": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) \n\nRemote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859).\n\nSpecific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software.\n\nBased on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ },
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "lateral-movement"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Daisuke Suzuki"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Flow",
+ "Module: Module Load",
+ "Logon Session: Logon Session Creation",
+ "Process: Process Creation",
+ "Command: Command Execution",
+ "Network Traffic: Network Connection Creation",
+ "Network Share: Network Share Access"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json b/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json
index f69ef2b522..838935c3d2 100644
--- a/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json
+++ b/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json
@@ -1,29 +1,9 @@
{
"type": "bundle",
- "id": "bundle--452eff69-a3dd-4813-ab68-8f16df66d525",
+ "id": "bundle--16384a5e-c608-483d-8945-fee73c89453e",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-05-08T20:13:24.241Z",
- "name": "I/O Module Discovery",
- "description": "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "discovery"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": true,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Windows",
- "Field Controller/RTU/PLC/IED"
- ],
- "x_mitre_version": "1.0",
"type": "attack-pattern",
"id": "attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0",
"created": "2020-05-21T17:43:26.506Z",
@@ -38,6 +18,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:53.554Z",
+ "name": "I/O Module Discovery",
+ "description": "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "discovery"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows",
+ "Field Controller/RTU/PLC/IED"
+ ],
+ "x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json b/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json
index e431203b4a..8be98828b2 100644
--- a/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json
+++ b/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json
@@ -1,30 +1,9 @@
{
"type": "bundle",
- "id": "bundle--a54bc8a8-7290-438a-a71e-e18f723f0d41",
+ "id": "bundle--3e8d3a44-7298-4347-b309-f6a56d02b730",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:12.329Z",
- "name": "Denial of Control",
- "description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nIn the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impact"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
"type": "attack-pattern",
"id": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20",
"created": "2020-05-21T17:43:26.506Z",
@@ -48,8 +27,8 @@
},
{
"source_name": "Michael J. Assante and Robert M. Lee",
- "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ",
- "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"
+ "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
+ "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
},
{
"source_name": "Tyson Macaulay",
@@ -59,7 +38,28 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-15T19:59:15.775Z",
+ "name": "Denial of Control",
+ "description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nIn the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impact"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json b/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json
index b9ef9b7567..6f41859ceb 100644
--- a/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json
+++ b/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json
@@ -1,36 +1,9 @@
{
"type": "bundle",
- "id": "bundle--d4f180ed-1af2-4742-8c59-2f9e9f1e2bcd",
+ "id": "bundle--da4bd50d-62c9-4e65-83be-449e9f641570",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:12.528Z",
- "name": "Modify Alarm Settings",
- "description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. \n\nIf an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. \n\nIn ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. ",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "inhibit-response-function"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "Application Log: Application Log Content",
- "Asset: Asset Inventory",
- "Operational Databases: Process History/Live Data",
- "Network Traffic: Network Traffic Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
"created": "2020-05-21T17:43:26.506Z",
@@ -50,6 +23,33 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:19.764Z",
+ "name": "Modify Alarm Settings",
+ "description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. \n\nIf an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. \n\nIn ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "inhibit-response-function"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_data_sources": [
+ "Application Log: Application Log Content",
+ "Asset: Asset Inventory",
+ "Operational Databases: Process History/Live Data",
+ "Network Traffic: Network Traffic Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json b/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json
index 0933e96d95..2af5e2ec73 100644
--- a/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json
+++ b/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json
@@ -1,10 +1,25 @@
{
"type": "bundle",
- "id": "bundle--59cd50f4-f39a-433d-b7a7-3b0f18de048d",
+ "id": "bundle--bbf7acf4-4e05-46ca-8348-6e832f0904fe",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:12.723Z",
+ "type": "attack-pattern",
+ "id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
+ "created": "2020-05-21T17:43:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/techniques/T0885",
+ "external_id": "T0885"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:19.961Z",
"name": "Commonly Used Port",
"description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. \n \n * TCP:80 (HTTP) \n * TCP:443 (HTTPS) \n * TCP/UDP:53 (DNS) \n * TCP:1024-4999 (OPC on XP/Win2k3) \n * TCP:49152-65535 (OPC on Vista and later) \n * TCP:23 (TELNET) \n * UDP:161 (SNMP) \n * TCP:502 (MODBUS) \n * TCP:102 (S7comm/ISO-TSAP) \n * TCP:20000 (DNP3) \n * TCP:44818 (Ethernet/IP)",
"kill_chain_phases": [
@@ -13,7 +28,7 @@
"phase_name": "command-and-control"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_contributors": [
"Matan Dobrushin - Otorio"
],
@@ -31,21 +46,6 @@
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Traffic Content"
- ],
- "type": "attack-pattern",
- "id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
- "created": "2020-05-21T17:43:26.506Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "revoked": false,
- "external_references": [
- {
- "source_name": "mitre-attack",
- "url": "https://attack.mitre.org/techniques/T0885",
- "external_id": "T0885"
- }
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json b/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json
index 902caed32d..94321f1ecd 100644
--- a/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json
+++ b/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json
@@ -1,33 +1,9 @@
{
"type": "bundle",
- "id": "bundle--0eb13c33-0c38-4e28-8fef-7257613d9ee9",
+ "id": "bundle--5fca1011-d9c9-4e7d-85f7-7ef7142b72fa",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:12.926Z",
- "name": "Project File Infection",
- "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "persistence"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "File: File Modification"
- ],
"type": "attack-pattern",
"id": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722",
"created": "2020-05-21T17:43:26.506Z",
@@ -46,8 +22,8 @@
},
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
},
{
"source_name": "PLCdev",
@@ -57,6 +33,30 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-15T19:59:17.481Z",
+ "name": "Project File Infection",
+ "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "persistence"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "File: File Modification"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json b/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json
index c87ca81d3e..54d642b7fa 100644
--- a/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json
+++ b/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json
@@ -1,34 +1,9 @@
{
"type": "bundle",
- "id": "bundle--7b43c432-d90d-40a8-b589-4a18eae6c9fb",
+ "id": "bundle--913cdc43-a299-4e78-8ea1-65125c1ecea6",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-03-29T14:04:50.569Z",
- "name": "Network Connection Enumeration",
- "description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "discovery"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "Command: Command Execution",
- "Process: Process Creation",
- "Script: Script Execution",
- "Process: OS API Execution"
- ],
"type": "attack-pattern",
"id": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,8 +29,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-15T19:59:18.381Z",
+ "name": "Network Connection Enumeration",
+ "description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "discovery"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_data_sources": [
+ "Command: Command Execution",
+ "Process: Process Creation",
+ "Script: Script Execution",
+ "Process: OS API Execution"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json b/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json
index 948099ed74..d3974c49ad 100644
--- a/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json
+++ b/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json
@@ -1,39 +1,9 @@
{
"type": "bundle",
- "id": "bundle--c00d0028-fb42-4009-b6da-f49897efd700",
+ "id": "bundle--9c78e2ed-cea3-4706-8cc5-f43f01585186",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:13.327Z",
- "name": "Lateral Tool Transfer",
- "description": "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)\n\nIn control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "lateral-movement"
- }
- ],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Network Share: Network Share Access",
- "File: File Metadata",
- "File: File Creation",
- "Network Traffic: Network Traffic Content",
- "Command: Command Execution",
- "Process: Process Creation",
- "Network Traffic: Network Traffic Flow"
- ],
"type": "attack-pattern",
"id": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
"created": "2020-05-21T17:43:26.506Z",
@@ -53,6 +23,36 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:20.126Z",
+ "name": "Lateral Tool Transfer",
+ "description": "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)\n\nIn control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "lateral-movement"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Network Share: Network Share Access",
+ "File: File Metadata",
+ "File: File Creation",
+ "Network Traffic: Network Traffic Content",
+ "Command: Command Execution",
+ "Process: Process Creation",
+ "Network Traffic: Network Traffic Flow"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json b/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json
index 2f4cf4e054..ff418aa62e 100644
--- a/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json
+++ b/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json
@@ -1,40 +1,9 @@
{
"type": "bundle",
- "id": "bundle--82211195-2ecb-4dcc-89d6-e940caa02156",
+ "id": "bundle--9e770362-e228-4724-a48c-638d81f5ae74",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:13.531Z",
- "name": "Module Firmware",
- "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "persistence"
- },
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "impair-process-control"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_data_sources": [
- "Operational Databases: Device Alarm",
- "Application Log: Application Log Content",
- "Network Traffic: Network Traffic Content",
- "Firmware: Firmware Modification"
- ],
"type": "attack-pattern",
"id": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
"created": "2020-05-21T17:43:26.506Z",
@@ -54,6 +23,37 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:20.310Z",
+ "name": "Module Firmware",
+ "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "persistence"
+ },
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "impair-process-control"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_data_sources": [
+ "Operational Databases: Device Alarm",
+ "Application Log: Application Log Content",
+ "Network Traffic: Network Traffic Content",
+ "Firmware: Firmware Modification"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json b/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json
index 8b683da148..9143d4ff37 100644
--- a/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json
+++ b/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json
@@ -1,35 +1,9 @@
{
"type": "bundle",
- "id": "bundle--e762995a-be87-46f4-a74d-c4f4cfaacaf6",
+ "id": "bundle--9fe116f9-d262-4b75-923a-440298604451",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:13.719Z",
- "name": "Internet Accessible Device",
- "description": "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique.\n\nAdversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. (Citation: NCCIC January 2014) These services may be discoverable through the use of online scanning tools. \n\nIn the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. (Citation: NCCIC January 2014) (Citation: Danny Yadron December 2015) (Citation: Mark Thompson March 2016)\n\nIn Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. (Citation: Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler)",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "initial-access"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Logon Session: Logon Session Metadata",
- "Network Traffic: Network Traffic Flow",
- "Network Traffic: Network Traffic Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307",
"created": "2020-05-21T17:43:26.506Z",
@@ -64,6 +38,32 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:20.494Z",
+ "name": "Internet Accessible Device",
+ "description": "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique.\n\nAdversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. (Citation: NCCIC January 2014) These services may be discoverable through the use of online scanning tools. \n\nIn the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. (Citation: NCCIC January 2014) (Citation: Danny Yadron December 2015) (Citation: Mark Thompson March 2016)\n\nIn Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. (Citation: Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler)",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "initial-access"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Logon Session: Logon Session Metadata",
+ "Network Traffic: Network Traffic Flow",
+ "Network Traffic: Network Traffic Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json b/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json
index f531ace4e2..55cbacaf18 100644
--- a/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json
+++ b/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json
@@ -1,35 +1,9 @@
{
"type": "bundle",
- "id": "bundle--3ad49b55-2e6e-49ba-8c41-b12d9b73b8fe",
+ "id": "bundle--510a7e3d-301a-49ce-b257-aa3db1b447f1",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-04-09T20:51:03.049Z",
- "name": "Data from Local System",
- "description": "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.\n\nAdversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system. ",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "collection"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "File: File Access",
- "Process: Process Creation",
- "Script: Script Execution",
- "Process: OS API Execution",
- "Command: Command Execution"
- ],
"type": "attack-pattern",
"id": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
"created": "2023-03-30T18:56:02.424Z",
@@ -45,8 +19,34 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-15T19:59:23.577Z",
+ "name": "Data from Local System",
+ "description": "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.\n\nAdversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system. ",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "collection"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "File: File Access",
+ "Process: Process Creation",
+ "Script: Script Execution",
+ "Process: OS API Execution",
+ "Command: Command Execution"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json b/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json
index 07e1097286..6424383387 100644
--- a/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json
+++ b/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json
@@ -1,37 +1,9 @@
{
"type": "bundle",
- "id": "bundle--5e3112d8-ae6b-4375-9c52-d7ffd3a4d628",
+ "id": "bundle--7d9f23e6-5d81-41de-9f2b-31759b393997",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-13T17:57:14.123Z",
- "name": "Change Credential",
- "description": "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.\n\nAn adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device\u2019s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. \n\nAdditionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.\n\n\nA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021) \n",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "inhibit-response-function"
- }
- ],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_contributors": [
- "Felix Eberstaller"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_data_sources": [
- "Operational Databases: Device Alarm",
- "Network Traffic: Network Traffic Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"created": "2023-03-30T14:04:17.023Z",
@@ -51,6 +23,34 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:20.690Z",
+ "name": "Change Credential",
+ "description": "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.\n\nAn adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device\u2019s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. \n\nAdditionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.\n\n\nA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021) \n",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "inhibit-response-function"
+ }
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Felix Eberstaller"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_data_sources": [
+ "Operational Databases: Device Alarm",
+ "Network Traffic: Network Traffic Content"
]
}
]
diff --git a/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json b/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json
index 79bb4ef35b..75ce33217b 100644
--- a/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json
+++ b/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json
@@ -1,34 +1,9 @@
{
"type": "bundle",
- "id": "bundle--8f2ae4b7-530b-4504-b2b5-50b41bbb5109",
+ "id": "bundle--637b5a60-80a2-47e9-a0f3-47f36f8583f8",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-20T17:01:10.138Z",
- "name": "Modify Program",
- "description": "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. \n\nProgram modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) (Citation: IEC February 2013) and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another. \n\nSome programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.",
- "kill_chain_phases": [
- {
- "kill_chain_name": "mitre-ics-attack",
- "phase_name": "persistence"
- }
- ],
- "x_mitre_deprecated": false,
- "x_mitre_detection": "",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_is_subtechnique": false,
- "x_mitre_platforms": [
- "None"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_data_sources": [
- "Network Traffic: Network Traffic Content",
- "Operational Databases: Device Alarm",
- "Asset: Software",
- "Application Log: Application Log Content"
- ],
"type": "attack-pattern",
"id": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
"created": "2021-04-13T11:15:26.506Z",
@@ -49,8 +24,33 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-15T19:59:24.213Z",
+ "name": "Modify Program",
+ "description": "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. \n\nProgram modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) (Citation: IEC February 2013) and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another. \n\nSome programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.",
+ "kill_chain_phases": [
+ {
+ "kill_chain_name": "mitre-ics-attack",
+ "phase_name": "persistence"
+ }
+ ],
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_deprecated": false,
+ "x_mitre_detection": "",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_is_subtechnique": false,
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "None"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_data_sources": [
+ "Network Traffic: Network Traffic Content",
+ "Operational Databases: Device Alarm",
+ "Asset: Software",
+ "Application Log: Application Log Content"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/campaign/campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f.json b/ics-attack/campaign/campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f.json
new file mode 100644
index 0000000000..97f1eb09a4
--- /dev/null
+++ b/ics-attack/campaign/campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f.json
@@ -0,0 +1,52 @@
+{
+ "type": "bundle",
+ "id": "bundle--ef9a9aae-cb5e-4b18-aa5e-fe68c792d982",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "modified": "2025-03-05T22:12:26.131Z",
+ "name": "FrostyGoop Incident",
+ "description": "[FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041) took place in January 2024 against a municipal district heating company in Ukraine. Following initial access via likely exploitation of external facing services, [FrostyGoop](https://attack.mitre.org/software/S1165) was used to manipulate ENCO control systems via legitimate Modbus commands to impact the delivery of heating services to Ukrainian civilians.(Citation: Dragos FROSTYGOOP 2024)(Citation: Nozomi BUSTLEBERM 2024)",
+ "aliases": [
+ "FrostyGoop Incident"
+ ],
+ "first_seen": "2024-01-01T07:00:00.000Z",
+ "last_seen": "2024-01-01T07:00:00.000Z",
+ "x_mitre_first_seen_citation": "(Citation: Dragos FROSTYGOOP 2024)",
+ "x_mitre_last_seen_citation": "(Citation: Dragos FROSTYGOOP 2024)",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "1.0",
+ "type": "campaign",
+ "id": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f",
+ "created": "2024-11-20T23:15:36.728Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/campaigns/C0041",
+ "external_id": "C0041"
+ },
+ {
+ "source_name": "Dragos FROSTYGOOP 2024",
+ "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
+ "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
+ },
+ {
+ "source_name": "Nozomi BUSTLEBERM 2024",
+ "description": "Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024.",
+ "url": "https://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ics-attack/campaign/campaign--45a98f02-852f-49b2-94c0-c63207bebbbf.json b/ics-attack/campaign/campaign--45a98f02-852f-49b2-94c0-c63207bebbbf.json
index 71f26c19f5..a11cb039e2 100644
--- a/ics-attack/campaign/campaign--45a98f02-852f-49b2-94c0-c63207bebbbf.json
+++ b/ics-attack/campaign/campaign--45a98f02-852f-49b2-94c0-c63207bebbbf.json
@@ -1,10 +1,10 @@
{
"type": "bundle",
- "id": "bundle--5dd7c7e9-b7dd-43be-b8a6-ce16e9bdd2ea",
+ "id": "bundle--ce7b0aa1-40fe-4f95-8dc0-0d1e46438f1c",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-04-17T16:17:07.038Z",
+ "modified": "2024-11-17T16:15:02.223Z",
"name": "Triton Safety Instrumented System Attack",
"description": "[Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)\n",
"aliases": [
@@ -39,8 +39,8 @@
},
{
"source_name": "FireEye TRITON 2018",
- "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.",
- "url": "https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html"
+ "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"
}
],
"object_marking_refs": [
diff --git a/ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json b/ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json
index d43ededcce..750fbe422b 100644
--- a/ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json
+++ b/ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json
@@ -1,10 +1,10 @@
{
"type": "bundle",
- "id": "bundle--85bb0799-72d7-4482-80c0-fd3ea684e94e",
+ "id": "bundle--2709cbca-b601-4852-83b6-69e48f6aedd9",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-10-06T14:05:01.054Z",
+ "modified": "2024-12-18T18:59:44.199Z",
"name": "2015 Ukraine Electric Power Attack",
"description": "[2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.",
"aliases": [
@@ -29,7 +29,7 @@
},
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
diff --git a/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json b/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json
index 189ad1e23d..41bbb82867 100644
--- a/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json
+++ b/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json
@@ -1,21 +1,9 @@
{
"type": "bundle",
- "id": "bundle--c472ba63-5b0e-427a-876a-de185da70cb6",
+ "id": "bundle--1b9e4f7d-f588-42af-87f0-84235e07e0ee",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T22:40:13.147Z",
- "name": "Oldsmar Treatment Plant Intrusion",
- "description": "[Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)",
- "aliases": [
- "Oldsmar Treatment Plant Intrusion"
- ],
- "first_seen": "2021-02-01T05:00:00.000Z",
- "last_seen": "2021-02-01T05:00:00.000Z",
- "x_mitre_first_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)",
- "x_mitre_last_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)",
- "x_mitre_deprecated": true,
- "x_mitre_version": "1.0",
"type": "campaign",
"id": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2",
"created": "2022-09-20T20:53:14.373Z",
@@ -46,8 +34,20 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
+ "modified": "2025-04-18T18:00:54.375Z",
+ "name": "Oldsmar Treatment Plant Intrusion",
+ "description": "[Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)",
+ "aliases": [
+ "Oldsmar Treatment Plant Intrusion"
+ ],
+ "first_seen": "2021-02-01T05:00:00.000Z",
+ "last_seen": "2021-02-01T05:00:00.000Z",
+ "x_mitre_first_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)",
+ "x_mitre_last_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": true,
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"ics-attack"
]
diff --git a/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json b/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json
index d242aca63b..0b0c0099c4 100644
--- a/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json
+++ b/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json
@@ -1,21 +1,9 @@
{
"type": "bundle",
- "id": "bundle--ca8409de-8fbf-46ab-86c4-f4938393f64b",
+ "id": "bundle--14914036-831d-49d2-b2f1-6028dfbec3cd",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-04-05T22:00:43.353Z",
- "name": "Maroochy Water Breach",
- "description": "[Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020) was an incident in 2000 where an adversary leveraged the local government\u2019s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.(Citation: Marshall Abrams July 2008)",
- "aliases": [
- "Maroochy Water Breach"
- ],
- "first_seen": "2000-02-01T05:00:00.000Z",
- "last_seen": "2000-04-01T05:00:00.000Z",
- "x_mitre_first_seen_citation": "(Citation: Marshall Abrams July 2008)",
- "x_mitre_last_seen_citation": "(Citation: Marshall Abrams July 2008)",
- "x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
"type": "campaign",
"id": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"created": "2023-03-10T20:01:08.133Z",
@@ -36,8 +24,20 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
+ "modified": "2025-04-16T21:26:23.900Z",
+ "name": "Maroochy Water Breach",
+ "description": "[Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020) was an incident in 2000 where an adversary leveraged the local government\u2019s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.(Citation: Marshall Abrams July 2008)",
+ "aliases": [
+ "Maroochy Water Breach"
+ ],
+ "first_seen": "2000-02-01T05:00:00.000Z",
+ "last_seen": "2000-04-01T05:00:00.000Z",
+ "x_mitre_first_seen_citation": "(Citation: Marshall Abrams July 2008)",
+ "x_mitre_last_seen_citation": "(Citation: Marshall Abrams July 2008)",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"ics-attack"
]
diff --git a/ics-attack/campaign/campaign--8fda050f-470d-4401-994e-35c1a6c301de.json b/ics-attack/campaign/campaign--8fda050f-470d-4401-994e-35c1a6c301de.json
index 20ee04bd33..2b7f0aae9f 100644
--- a/ics-attack/campaign/campaign--8fda050f-470d-4401-994e-35c1a6c301de.json
+++ b/ics-attack/campaign/campaign--8fda050f-470d-4401-994e-35c1a6c301de.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--41e47ce7-d348-446e-bc39-6531160d2f98",
+ "id": "bundle--4ed4a7a5-5296-48de-b1b6-48f506a1dd8e",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json b/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json
index b110e17d2a..85e4ab5816 100644
--- a/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json
+++ b/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json
@@ -1,21 +1,9 @@
{
"type": "bundle",
- "id": "bundle--dfff044b-4a94-4afa-8b6d-6e5a433b1242",
+ "id": "bundle--6ef0bfae-0a91-4256-b35f-186bd59b89da",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-04-10T21:18:24.743Z",
- "name": "2016 Ukraine Electric Power Attack",
- "description": "[2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)",
- "aliases": [
- "2016 Ukraine Electric Power Attack"
- ],
- "first_seen": "2016-12-01T05:00:00.000Z",
- "last_seen": "2016-12-01T05:00:00.000Z",
- "x_mitre_first_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)",
- "x_mitre_last_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)",
- "x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
"type": "campaign",
"id": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234",
"created": "2023-03-31T17:22:23.567Z",
@@ -41,8 +29,20 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
+ "modified": "2025-04-16T20:37:46.567Z",
+ "name": "2016 Ukraine Electric Power Attack",
+ "description": "[2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)",
+ "aliases": [
+ "2016 Ukraine Electric Power Attack"
+ ],
+ "first_seen": "2016-12-01T05:00:00.000Z",
+ "last_seen": "2016-12-01T05:00:00.000Z",
+ "x_mitre_first_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)",
+ "x_mitre_last_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_domains": [
"enterprise-attack",
"ics-attack"
diff --git a/ics-attack/campaign/campaign--df8eb785-70f8-4300-b444-277ba849083d.json b/ics-attack/campaign/campaign--df8eb785-70f8-4300-b444-277ba849083d.json
index 1afb9e0ead..8284d24138 100644
--- a/ics-attack/campaign/campaign--df8eb785-70f8-4300-b444-277ba849083d.json
+++ b/ics-attack/campaign/campaign--df8eb785-70f8-4300-b444-277ba849083d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c485976b-9ffd-4dc0-9f81-cfd5697aa8cb",
+ "id": "bundle--526068ee-b18f-4ab9-8af2-973dbef13cc7",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json b/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json
index ff6ecd79a6..68b043746a 100644
--- a/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json
+++ b/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--f1ea3143-810e-47a1-b576-c2903854d59d",
+ "id": "bundle--2d9d4363-2d56-4398-b07e-17db5f3ce62c",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:33:26.200Z",
- "name": "Application Isolation and Sandboxing",
- "description": "Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 5.4",
- "IEC 62443-4-2:2019 - CR 5.4",
- "NIST SP 800-53 Rev. 5 - SI-3"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea",
"created": "2019-06-11T17:06:56.230Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:25.920Z",
+ "name": "Application Isolation and Sandboxing",
+ "description": "Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 5.4",
+ "IEC 62443-4-2:2019 - CR 5.4",
+ "NIST SP 800-53 Rev. 5 - SI-3"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json b/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json
index 5a36f971f1..e395d17bba 100644
--- a/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json
+++ b/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--adea469c-54e0-4345-98db-319e473ad626",
+ "id": "bundle--f8a49c23-eedc-432e-867c-cea79f5821a5",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:44:59.425Z",
- "name": "Filter Network Traffic",
- "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)",
- "labels": [
- "IEC 62443-3-3:2013 - SR 5.1",
- "IEC 62443-4-2:2019 - CR 5.1",
- "NIST SP 800-53 Rev. 5 - AC-3; SC-7"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"created": "2019-06-11T16:33:55.337Z",
@@ -37,8 +24,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:26.074Z",
+ "name": "Filter Network Traffic",
+ "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 5.1",
+ "IEC 62443-4-2:2019 - CR 5.1",
+ "NIST SP 800-53 Rev. 5 - AC-3; SC-7"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json b/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json
index 3a831d0901..8ae0c9be6f 100644
--- a/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json
+++ b/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--236bfaaa-718b-44f1-8c69-571d4c763972",
+ "id": "bundle--2c9de8da-491d-41f3-910f-4216d814ec1e",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T13:11:35.668Z",
- "name": "Restrict Web-Based Content",
- "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 2.4",
- "IEC 62443-4-2:2019 - HDR 2.4",
- "NIST SP 800-53 Rev. 5 - SC-18"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144",
"created": "2019-06-06T20:52:59.206Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:26.226Z",
+ "name": "Restrict Web-Based Content",
+ "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 2.4",
+ "IEC 62443-4-2:2019 - HDR 2.4",
+ "NIST SP 800-53 Rev. 5 - SC-18"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json b/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json
index 96963fc488..48cba030da 100644
--- a/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json
+++ b/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json
@@ -1,24 +1,9 @@
{
"type": "bundle",
- "id": "bundle--37e4f53a-1723-4313-9a37-cd3e98d5f5b4",
+ "id": "bundle--d8281813-a9e2-456a-beaa-30e693d16106",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T13:14:57.819Z",
- "name": "Validate Program Inputs",
- "description": "Devices and programs designed to interact with control system parameters should validate the format and content of all user inputs and actions to ensure the values are within intended operational ranges. These values should be evaluated and further enforced through the program logic running on the field controller. If a problematic or invalid input is identified, the programs should either utilize a predetermined safe value or enter a known safe state, while also logging or alerting on the event.(Citation: PLCTop20 Mar 2023)",
- "labels": [
- "IEC 62443-3-3:2013 - SR 3.5",
- "IEC 62443-3-3:2013 - SR 3.6",
- "IEC 62443-4-2:2019 - CR 3.5",
- "IEC 62443-4-2:2019 - CR 3.6",
- "NIST SP 800-53 Rev. 5 - SI-10"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517",
"created": "2023-03-22T15:49:55.439Z",
@@ -39,8 +24,23 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:26.390Z",
+ "name": "Validate Program Inputs",
+ "description": "Devices and programs designed to interact with control system parameters should validate the format and content of all user inputs and actions to ensure the values are within intended operational ranges. These values should be evaluated and further enforced through the program logic running on the field controller. If a problematic or invalid input is identified, the programs should either utilize a predetermined safe value or enter a known safe state, while also logging or alerting on the event.(Citation: PLCTop20 Mar 2023)",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 3.5",
+ "IEC 62443-3-3:2013 - SR 3.6",
+ "IEC 62443-4-2:2019 - CR 3.5",
+ "IEC 62443-4-2:2019 - CR 3.6",
+ "NIST SP 800-53 Rev. 5 - SI-10"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json b/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json
index 21fa79698e..bde735ada4 100644
--- a/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json
+++ b/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--bb369e88-cad1-43c9-9685-0d1dc502a201",
+ "id": "bundle--21c90bb2-8340-4107-a51a-7af307595bfd",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:50:12.354Z",
- "name": "Network Segmentation",
- "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)",
- "labels": [
- "IEC 62443-3-3:2013 - SR 5.1",
- "IEC 62443-4-2:2019 - CR 5.1",
- "NIST SP 800-53 Rev. 5 - AC-3"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
"created": "2019-06-10T20:41:03.271Z",
@@ -42,8 +29,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:26.551Z",
+ "name": "Network Segmentation",
+ "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 5.1",
+ "IEC 62443-4-2:2019 - CR 5.1",
+ "NIST SP 800-53 Rev. 5 - AC-3"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json b/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json
index 3f53e48e02..0c6e1895d6 100644
--- a/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json
+++ b/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--976e682e-1d5c-4bfb-b112-1efc6e5efed1",
+ "id": "bundle--156510e4-0aa2-48e6-a974-09c232f86053",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T13:10:52.949Z",
- "name": "Restrict Library Loading",
- "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 7.7",
- "IEC 62443-4-2:2019 - CR 7.7",
- "NIST SP 800-53 Rev. 5 - CM-7"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3",
"created": "2019-06-11T17:00:01.740Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:26.729Z",
+ "name": "Restrict Library Loading",
+ "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 7.7",
+ "IEC 62443-4-2:2019 - CR 7.7",
+ "NIST SP 800-53 Rev. 5 - CM-7"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json b/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json
index 06a8d3f267..4079b1ff01 100644
--- a/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json
+++ b/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--efbe2cbe-eb3c-40ac-aaaa-2539fa618277",
+ "id": "bundle--db1fef2c-d23a-4d32-b524-0679bc73476a",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-24T15:09:07.609Z",
- "name": "Active Directory Configuration",
- "description": "Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
"type": "course-of-action",
"id": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722",
"created": "2019-06-06T16:39:58.291Z",
@@ -26,7 +17,16 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:26.911Z",
+ "name": "Active Directory Configuration",
+ "description": "Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json b/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json
index a7eb668189..b57e6cee9e 100644
--- a/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json
+++ b/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--99f54ca1-4246-47c2-a470-a5472792cd8a",
+ "id": "bundle--469b8e6e-4ec9-4274-8c84-ec1a355a5d67",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:49:53.366Z",
- "name": "Network Intrusion Prevention",
- "description": "Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 6.2",
- "IEC 62443-4-2:2019 - CR 6.2",
- "NIST SP 800-53 Rev. 5 - SI-4"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc",
"created": "2019-06-10T20:46:02.263Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:27.092Z",
+ "name": "Network Intrusion Prevention",
+ "description": "Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 6.2",
+ "IEC 62443-4-2:2019 - CR 6.2",
+ "NIST SP 800-53 Rev. 5 - SI-4"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json b/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json
index dd7d73c15b..fb812fd6d8 100644
--- a/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json
+++ b/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--f21e0f22-6d4c-4433-8e6e-ebfd5d5c129f",
+ "id": "bundle--0ec037ae-87b0-418b-a94a-88621aefadaf",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T13:11:12.773Z",
- "name": "Restrict Registry Permissions",
- "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 2.1",
- "IEC 62443-4-2:2019 - CR 2.1",
- "NIST SP 800-53 Rev. 5 - AC-6"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3",
"created": "2019-06-06T20:58:59.577Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:27.274Z",
+ "name": "Restrict Registry Permissions",
+ "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 2.1",
+ "IEC 62443-4-2:2019 - CR 2.1",
+ "NIST SP 800-53 Rev. 5 - AC-6"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json b/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json
index 96f5b1d0a5..ccac7a0784 100644
--- a/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json
+++ b/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--05966ebd-c5da-4b11-a5ff-7f9c042a1f02",
+ "id": "bundle--16fdab8a-50a7-4516-bf69-a0405c16fd18",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-30T20:55:14.442Z",
- "name": "Data Loss Prevention",
- "description": "Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 4.1",
- "IEC 62443-4-2:2019 - CR 4.1"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
"type": "course-of-action",
"id": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5",
"created": "2020-09-11T16:32:21.854Z",
@@ -30,7 +17,20 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:27.444Z",
+ "name": "Data Loss Prevention",
+ "description": "Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 4.1",
+ "IEC 62443-4-2:2019 - CR 4.1"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json b/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json
index b58a6cb4f9..a7b9e57309 100644
--- a/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json
+++ b/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json
@@ -1,12 +1,12 @@
{
"type": "bundle",
- "id": "bundle--3c60136b-c9bd-4d68-acd5-e0bfd899e816",
+ "id": "bundle--1d73bcff-0ee4-4a99-b405-194a18f6ee1a",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:30:56.250Z",
+ "modified": "2025-03-12T16:11:54.933Z",
"name": "Access Management",
- "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)",
+ "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)",
"labels": [
"IEC 62443-3-3:2013 - SR 2.1",
"IEC 62443-4-2:2019 - CR 2.1",
@@ -42,7 +42,7 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
]
diff --git a/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json b/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json
index 738996c8ec..f72c35e2ee 100644
--- a/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json
+++ b/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--13d26955-37ad-40df-9fc9-ae60a619de2b",
+ "id": "bundle--6ddaf85c-bbb3-4db1-9e85-1cd4f267a0e1",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-24T15:09:07.609Z",
- "name": "Mitigation Limited or Not Effective",
- "description": "This type of attack technique cannot be easily mitigated with preventative controls since it is based on the abuse of system features.",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
"type": "course-of-action",
"id": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433",
"created": "2020-09-11T16:32:21.854Z",
@@ -26,7 +17,16 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:27.652Z",
+ "name": "Mitigation Limited or Not Effective",
+ "description": "This type of attack technique cannot be easily mitigated with preventative controls since it is based on the abuse of system features.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json b/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json
index e1a09eee71..c8d6276dde 100644
--- a/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json
+++ b/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--30c07769-69f7-4375-8bef-b87565dc7bf4",
+ "id": "bundle--6f9cbf75-78ef-4180-80e8-c3147bb5bbeb",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:44:04.416Z",
- "name": "Exploit Protection",
- "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 3.2",
- "IEC 62443-4-2:2019 - CR 3.2",
- "NIST SP 800-53 Rev. 5 - SI-16"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9",
"created": "2019-06-11T17:10:57.070Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:27.827Z",
+ "name": "Exploit Protection",
+ "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 3.2",
+ "IEC 62443-4-2:2019 - CR 3.2",
+ "NIST SP 800-53 Rev. 5 - SI-16"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json b/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json
index 05fb76cc61..67e1d1c7c1 100644
--- a/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json
+++ b/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--c1242837-0e8c-4175-9962-072053012235",
+ "id": "bundle--3decee28-ff2d-4b4e-baf8-0cad5bb9223f",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:48:00.950Z",
- "name": "Limit Access to Resource Over Network",
- "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 5.1",
- "IEC 62443-4-2:2019 - CR 5.1",
- "NIST SP 800-53 Rev. 5 - AC-3; SC-7"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110",
"created": "2019-06-11T16:30:16.672Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:27.991Z",
+ "name": "Limit Access to Resource Over Network",
+ "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 5.1",
+ "IEC 62443-4-2:2019 - CR 5.1",
+ "NIST SP 800-53 Rev. 5 - AC-3; SC-7"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json b/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json
index 6ed2b3aa84..1428f530bb 100644
--- a/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json
+++ b/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--8b191485-5441-4421-8c40-9a59f742f6f2",
+ "id": "bundle--1cf5ae63-7d6c-4312-8895-e908fde4a1c9",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:43:44.551Z",
- "name": "Execution Prevention",
- "description": "Block execution of code on a system through application control, and/or script blocking.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 3.2",
- "IEC 62443-4-2:2019 - CR 3.2",
- "NIST SP 800-53 Rev. 5 - SI-3"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30",
"created": "2019-06-11T16:35:25.488Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:28.155Z",
+ "name": "Execution Prevention",
+ "description": "Block execution of code on a system through application control, and/or script blocking.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 3.2",
+ "IEC 62443-4-2:2019 - CR 3.2",
+ "NIST SP 800-53 Rev. 5 - SI-3"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json b/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json
index b3bd17e45b..a3cdc2375d 100644
--- a/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json
+++ b/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--06102619-f7bb-487d-9fa3-68a4f00b3ea0",
+ "id": "bundle--c4e4a79e-2976-41d9-8837-2b67187af80a",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T13:12:51.139Z",
- "name": "Static Network Configuration",
- "description": "Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 7.7",
- "IEC 62443-4-2:2019 - CR 7.7",
- "NIST SP 800-53 Rev. 5 - CM-7"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.1",
"type": "course-of-action",
"id": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a",
"created": "2019-06-06T21:16:18.709Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:28.312Z",
+ "name": "Static Network Configuration",
+ "description": "Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 7.7",
+ "IEC 62443-4-2:2019 - CR 7.7",
+ "NIST SP 800-53 Rev. 5 - CM-7"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json b/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json
index cb6f953020..adb96fba21 100644
--- a/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json
+++ b/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--d016fbc2-b401-4010-93e3-14f90d1ffc77",
+ "id": "bundle--cc0e570d-6b3f-4250-ac8b-78b08093ac01",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:51:14.526Z",
- "name": "Password Policies",
- "description": "Set and enforce secure password policies for accounts.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 1.5",
- "IEC 62443-4-2:2019 - CR 1.5",
- "NIST SP 800-53 Rev. 5 - IA-5"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65",
"created": "2019-06-06T21:10:35.792Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:28.470Z",
+ "name": "Password Policies",
+ "description": "Set and enforce secure password policies for accounts.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 1.5",
+ "IEC 62443-4-2:2019 - CR 1.5",
+ "NIST SP 800-53 Rev. 5 - IA-5"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json b/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json
index b79b3daadb..d43e52de03 100644
--- a/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json
+++ b/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--26831733-d73b-4acc-a475-af3dd8a90563",
+ "id": "bundle--33bfe103-73df-4840-81f9-502f4753b469",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:51:40.366Z",
- "name": "Privileged Account Management",
- "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 1.3",
- "IEC 62443-4-2:2019 - CR 1.3",
- "NIST SP 800-53 Rev. 5 - AC-2"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
"created": "2019-06-06T21:09:47.115Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:28.652Z",
+ "name": "Privileged Account Management",
+ "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 1.3",
+ "IEC 62443-4-2:2019 - CR 1.3",
+ "NIST SP 800-53 Rev. 5 - AC-2"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json b/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json
index 9d6497b3d4..881353c2f0 100644
--- a/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json
+++ b/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5cf262a7-2266-41bf-93c3-1280f65ebfe6",
+ "id": "bundle--44e9c478-919b-42a5-9cef-5dafe10c5234",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json b/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json
index 1dab35b10b..1053f046cd 100644
--- a/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json
+++ b/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--722c606b-4e9d-4e9b-9215-2ef12add1a1f",
+ "id": "bundle--1ec6e17b-5865-4610-8a07-3ee98f573d42",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-24T15:09:07.609Z",
- "name": "SSL/TLS Inspection",
- "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
"type": "course-of-action",
"id": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c",
"created": "2019-06-06T20:15:34.146Z",
@@ -26,7 +17,16 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:28.819Z",
+ "name": "SSL/TLS Inspection",
+ "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json b/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json
index c509baf243..8c48771f2b 100644
--- a/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json
+++ b/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--1c5e8056-9d13-4548-84ba-abd27af1257f",
+ "id": "bundle--d6fd6e3c-5c60-4497-b8f6-d8211f5e290b",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:39:41.056Z",
- "name": "Code Signing",
- "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 3.4",
- "IEC 62443-4-2:2019 - CR 3.4",
- "NIST SP 800-53 Rev. 5 - SI-7"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a",
"created": "2019-06-11T17:01:25.405Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:28.975Z",
+ "name": "Code Signing",
+ "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 3.4",
+ "IEC 62443-4-2:2019 - CR 3.4",
+ "NIST SP 800-53 Rev. 5 - SI-7"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json b/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json
index 63c499b142..2b67b5b18c 100644
--- a/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json
+++ b/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0fe0328a-77a2-4845-ae31-dfa6ad84c7e0",
+ "id": "bundle--84870856-6e20-4bd6-8aaa-9e9badd563fc",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json b/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json
index 37a08cd007..600d5438b8 100644
--- a/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json
+++ b/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--624b0ae1-8557-4b1d-9a85-a3e2194ebfbc",
+ "id": "bundle--c413611b-bdd1-4769-88ea-fc5904f9e722",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:42:52.198Z",
- "name": "Encrypt Network Traffic",
- "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 4.1",
- "IEC 62443-4-2:2019 - CR 4.1",
- "NIST SP 800-53 Rev. 5 - SC-8"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a",
"created": "2020-09-11T16:32:21.854Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:29.147Z",
+ "name": "Encrypt Network Traffic",
+ "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 4.1",
+ "IEC 62443-4-2:2019 - CR 4.1",
+ "NIST SP 800-53 Rev. 5 - SC-8"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json b/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json
index 6adf719452..f6e2a7c8d0 100644
--- a/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json
+++ b/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--f2cba255-f7b9-46a3-9694-1b9d365caf46",
+ "id": "bundle--f62fd756-b1af-4e90-833f-216d37abcada",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:31:48.809Z",
- "name": "Account Use Policies",
- "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 1.11",
- "IEC 62443-4-2:2019 - CR 1.11",
- "NIST SP 800-53 Rev. 5 - IA-5"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02",
"created": "2019-06-11T16:32:21.854Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:29.323Z",
+ "name": "Account Use Policies",
+ "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 1.11",
+ "IEC 62443-4-2:2019 - CR 1.11",
+ "NIST SP 800-53 Rev. 5 - IA-5"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json b/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json
index 3c43438ee8..4406923eb5 100644
--- a/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json
+++ b/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json
@@ -1,21 +1,9 @@
{
"type": "bundle",
- "id": "bundle--0b2b00cc-d8da-4f89-a525-e92c626a3023",
+ "id": "bundle--29fc8cf2-fdbc-4746-b6be-5cdfbd979c9c",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:32:48.390Z",
- "name": "Application Developer Guidance",
- "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
- "labels": [
- "NIST SP 800-53 Rev. 4 - AT-3",
- "NIST SP 800-53 Rev. 4 - AT-3"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7",
"created": "2017-10-25T14:48:53.732Z",
@@ -31,8 +19,20 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:29.489Z",
+ "name": "Application Developer Guidance",
+ "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
+ "labels": [
+ "NIST SP 800-53 Rev. 4 - AT-3",
+ "NIST SP 800-53 Rev. 4 - AT-3"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json b/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json
index bc4a29640c..6466d7d701 100644
--- a/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json
+++ b/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json
@@ -1,21 +1,9 @@
{
"type": "bundle",
- "id": "bundle--973f9011-d4d7-451d-b758-a343e4251c2c",
+ "id": "bundle--814faf7c-f34e-49bc-ba27-fa869109d07f",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:38:22.681Z",
- "name": "Boot Integrity",
- "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
- "labels": [
- "IEC 62443-4-2:2019 - CR 3.14",
- "NIST SP 800-53 Rev. 5 - SI-7"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405",
"created": "2019-06-11T17:02:36.984Z",
@@ -31,8 +19,20 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:29.725Z",
+ "name": "Boot Integrity",
+ "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+ "labels": [
+ "IEC 62443-4-2:2019 - CR 3.14",
+ "NIST SP 800-53 Rev. 5 - SI-7"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json b/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json
index 872483280d..c16d6efe7f 100644
--- a/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json
+++ b/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--09c0c428-60a1-4398-8010-9cad2a47750a",
+ "id": "bundle--b79173ab-dc13-4656-a62c-6fd2ce84dac9",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-24T15:09:07.609Z",
- "name": "Mechanical Protection Layers",
- "description": "Utilize a layered protection design based on physical or mechanical protection systems to prevent damage to property, equipment, human safety, or the environment. Examples include interlocks, rupture disk, release values, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) ",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
"type": "course-of-action",
"id": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401",
"created": "2020-09-11T16:32:21.854Z",
@@ -31,7 +22,16 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:29.910Z",
+ "name": "Mechanical Protection Layers",
+ "description": "Utilize a layered protection design based on physical or mechanical protection systems to prevent damage to property, equipment, human safety, or the environment. Examples include interlocks, rupture disk, release values, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) ",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json b/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json
index 0f8166152d..d02883adcd 100644
--- a/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json
+++ b/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json
@@ -1,21 +1,9 @@
{
"type": "bundle",
- "id": "bundle--44a428cf-27c1-44b5-ac8b-41b02d16f2b6",
+ "id": "bundle--8fa27468-5117-49ab-b962-0cbf489da624",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T13:13:41.305Z",
- "name": "Update Software",
- "description": "Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.",
- "labels": [
- "IEC 62443-4-2:2019 - CR 3.10",
- "NIST SP 800-53 Rev. 5 - SI-2"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e",
"created": "2019-06-11T17:12:55.207Z",
@@ -31,8 +19,20 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:30.090Z",
+ "name": "Update Software",
+ "description": "Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.",
+ "labels": [
+ "IEC 62443-4-2:2019 - CR 3.10",
+ "NIST SP 800-53 Rev. 5 - SI-2"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json b/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json
index f12e8e1aa2..ad789b191d 100644
--- a/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json
+++ b/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json
@@ -1,21 +1,9 @@
{
"type": "bundle",
- "id": "bundle--71cbfe9c-e616-4dde-8ab2-6bb1e22eedc0",
+ "id": "bundle--9b40f8a4-142a-4def-b172-dbfbb00a5495",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-30T20:55:16.383Z",
- "name": "Watchdog Timers",
- "description": "Utilize watchdog timers to ensure devices can quickly detect whether a system is unresponsive.",
- "labels": [
- "IEC 62443-4-2:2019 - CR 7.2"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
"type": "course-of-action",
"id": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53",
"created": "2019-06-06T21:16:18.709Z",
@@ -29,7 +17,19 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:30.248Z",
+ "name": "Watchdog Timers",
+ "description": "Utilize watchdog timers to ensure devices can quickly detect whether a system is unresponsive.",
+ "labels": [
+ "IEC 62443-4-2:2019 - CR 7.2"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json b/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json
index f6f9636045..20ebf9271a 100644
--- a/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json
+++ b/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--8babab7e-8027-45f1-908e-f06a60cbb282",
+ "id": "bundle--02b77fd7-3b8e-4304-a70e-dcd3b861e572",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-30T20:55:15.415Z",
- "name": "Operational Information Confidentiality",
- "description": "Deploy mechanisms to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).",
- "labels": [
- "IEC 62443-3-3:2013 - SR 4.1",
- "IEC 62443-4-2:2019 - CR 4.1"
- ],
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
"type": "course-of-action",
"id": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa",
"created": "2019-06-06T21:16:18.709Z",
@@ -30,7 +17,20 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:30.453Z",
+ "name": "Operational Information Confidentiality",
+ "description": "Deploy mechanisms to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 4.1",
+ "IEC 62443-4-2:2019 - CR 4.1"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json b/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json
index 84ea8a965a..46affcf39f 100644
--- a/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json
+++ b/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--7a1c39a6-abab-49db-9dde-e316041d0023",
+ "id": "bundle--116eeee5-797b-4428-bd16-4d13074a1e30",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:50:30.709Z",
- "name": "Operating System Configuration",
- "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 7.7",
- "IEC 62443-4-2:2019 - CR 7.7",
- "NIST SP 800-53 Rev. 5 - CM-7"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce",
"created": "2019-06-06T21:16:18.709Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:30.648Z",
+ "name": "Operating System Configuration",
+ "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 7.7",
+ "IEC 62443-4-2:2019 - CR 7.7",
+ "NIST SP 800-53 Rev. 5 - CM-7"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json b/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json
index 8afe1011e9..f739b5dad2 100644
--- a/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json
+++ b/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--c499b043-f58e-44a1-ba8b-b92a53234bde",
+ "id": "bundle--76ef7fae-f87a-4298-84f5-0550fce2eb93",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:48:22.980Z",
- "name": "Limit Hardware Installation",
- "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 3.2",
- "IEC 62443-4-2:2019 - EDR 3.2",
- "NIST SP 800-53 Rev. 5 - MP-7"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0",
"created": "2019-06-11T16:28:41.809Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:30.822Z",
+ "name": "Limit Hardware Installation",
+ "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 3.2",
+ "IEC 62443-4-2:2019 - EDR 3.2",
+ "NIST SP 800-53 Rev. 5 - MP-7"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json b/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json
index 636a38345e..83fb89088b 100644
--- a/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json
+++ b/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--4d9b04f9-3ee8-4d54-a1f0-9d24ab04f9f9",
+ "id": "bundle--c4acedf2-caad-4f45-addd-2782ed3affc5",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:43:17.085Z",
- "name": "Encrypt Sensitive Information",
- "description": "Protect sensitive data-at-rest with strong encryption.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 4.1",
- "IEC 62443-4-2:2019 - CR 4.1",
- "NIST SP 800-53 Rev. 5 - SC-28"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc",
"created": "2019-06-11T16:43:44.834Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:31.005Z",
+ "name": "Encrypt Sensitive Information",
+ "description": "Protect sensitive data-at-rest with strong encryption.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 4.1",
+ "IEC 62443-4-2:2019 - CR 4.1",
+ "NIST SP 800-53 Rev. 5 - SC-28"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json b/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json
index 400a55807b..3a75973061 100644
--- a/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json
+++ b/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json
@@ -1,20 +1,9 @@
{
"type": "bundle",
- "id": "bundle--7866d0ef-cb13-4be4-a04d-d8de871d4521",
+ "id": "bundle--79da5923-4e2c-4ca0-9674-dca68c1fed67",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:49:34.958Z",
- "name": "Network Allowlists",
- "description": "Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.",
- "labels": [
- "NIST SP 800-53 Rev. 5 - AC-3"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
"created": "2019-06-10T20:53:36.319Z",
@@ -30,8 +19,19 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:31.149Z",
+ "name": "Network Allowlists",
+ "description": "Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.",
+ "labels": [
+ "NIST SP 800-53 Rev. 5 - AC-3"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json b/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json
index ccd77848d5..cfd7a9de82 100644
--- a/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json
+++ b/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json
@@ -1,21 +1,9 @@
{
"type": "bundle",
- "id": "bundle--eae7bcdd-028f-41c6-b076-e85c8a792005",
+ "id": "bundle--c500f61f-8675-4a16-81cb-c335ac14e623",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T13:13:12.169Z",
- "name": "Supply Chain Management",
- "description": "Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.",
- "labels": [
- "NIST SP 800-53 Rev. 4 - SA-12",
- "NIST SP 800-53 Rev. 5 - SR-1"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c",
"created": "2021-04-12T17:00:21.233Z",
@@ -31,8 +19,20 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:31.301Z",
+ "name": "Supply Chain Management",
+ "description": "Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.",
+ "labels": [
+ "NIST SP 800-53 Rev. 4 - SA-12",
+ "NIST SP 800-53 Rev. 5 - SR-1"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json b/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json
index 9841ea84d8..eaf9571549 100644
--- a/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json
+++ b/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--227cff58-1d84-403f-8dbc-95b7b5c4ea44",
+ "id": "bundle--bed605d5-446d-4176-b31a-8b5ec2b262ab",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:41:39.667Z",
- "name": "Data Backup",
- "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 7.3",
- "IEC 62443-4-2:2019 - CR 7.3",
- "NIST SP 800-53 Rev. 5 - CP-9"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a",
"created": "2019-07-19T14:33:33.543Z",
@@ -37,8 +24,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:31.496Z",
+ "name": "Data Backup",
+ "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 7.3",
+ "IEC 62443-4-2:2019 - CR 7.3",
+ "NIST SP 800-53 Rev. 5 - CP-9"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json b/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json
index 7d71bdea30..9fffd68cfc 100644
--- a/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json
+++ b/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json
@@ -1,20 +1,9 @@
{
"type": "bundle",
- "id": "bundle--2b1fc426-975a-4d36-9fed-b223e612e5e7",
+ "id": "bundle--4e5878de-19b5-455a-a91e-c91667308a93",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:50:55.129Z",
- "name": "Out-of-Band Communications Channel",
- "description": "Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)",
- "labels": [
- "NIST SP 800-53 Rev. 5 - SC-37"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
"created": "2019-06-06T21:16:18.709Z",
@@ -40,8 +29,19 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:31.696Z",
+ "name": "Out-of-Band Communications Channel",
+ "description": "Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)",
+ "labels": [
+ "NIST SP 800-53 Rev. 5 - SC-37"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json b/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json
index e1ccbc44c0..8cbff007cf 100644
--- a/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json
+++ b/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json
@@ -1,23 +1,9 @@
{
"type": "bundle",
- "id": "bundle--50a9d811-33e8-4693-bd1d-e0cb3973fdb5",
+ "id": "bundle--40c70869-98a4-48fb-8593-57f7cddeed13",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:34:08.571Z",
- "name": "Audit",
- "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 3.4",
- "IEC 62443-4-2:2019 - CR 3.4",
- "NIST SP 800-53 Rev. 4 - SI-7",
- "NIST SP 800-53 Rev. 5 - SI-7"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
"created": "2019-06-11T17:06:14.029Z",
@@ -33,8 +19,22 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:31.848Z",
+ "name": "Audit",
+ "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 3.4",
+ "IEC 62443-4-2:2019 - CR 3.4",
+ "NIST SP 800-53 Rev. 4 - SI-7",
+ "NIST SP 800-53 Rev. 5 - SI-7"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json b/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json
index e1eb34d817..494eb45e3f 100644
--- a/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json
+++ b/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--46313d24-da0b-4699-a222-6704a3463672",
+ "id": "bundle--6a3e48bc-09d8-4d9d-aa99-9befb5e446a4",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:40:49.135Z",
- "name": "Communication Authenticity",
- "description": "When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 3.1",
- "IEC 62443-4-2:2019 - CR 3.1",
- "NIST SP 800-53 Rev. 5 - SC-8; SC-23"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"created": "2020-09-11T16:32:21.854Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:32.013Z",
+ "name": "Communication Authenticity",
+ "description": "When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 3.1",
+ "IEC 62443-4-2:2019 - CR 3.1",
+ "NIST SP 800-53 Rev. 5 - SC-8; SC-23"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json b/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json
index 0d4acc4b4e..441c0c1fc6 100644
--- a/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json
+++ b/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--385a1c2f-f6c3-4190-b0ca-588a643dc631",
+ "id": "bundle--540605ed-631b-4136-b0c5-ec60a6ebf4c5",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:42:11.231Z",
- "name": "Disable or Remove Feature or Program",
- "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 7.7",
- "IEC 62443-4-2:2019 - CR 7.7",
- "NIST SP 800-53 Rev. 5 - CM-7"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--d0909119-2f71-4923-87db-b649881672d7",
"created": "2019-06-11T16:45:19.740Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:32.177Z",
+ "name": "Disable or Remove Feature or Program",
+ "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 7.7",
+ "IEC 62443-4-2:2019 - CR 7.7",
+ "NIST SP 800-53 Rev. 5 - CM-7"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json b/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json
index f73f2177db..839f19c434 100644
--- a/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json
+++ b/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--4e09bb32-2d2c-4131-bc78-128b30489231",
+ "id": "bundle--30087741-ae69-40bb-9803-9d1ec3e2cf17",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-24T15:09:07.609Z",
- "name": "Threat Intelligence Program",
- "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
"type": "course-of-action",
"id": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499",
"created": "2019-06-06T19:55:50.927Z",
@@ -26,7 +17,16 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:32.342Z",
+ "name": "Threat Intelligence Program",
+ "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json b/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json
index 94ef08317f..7aeb4ba8bd 100644
--- a/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json
+++ b/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--3c28857b-af86-4fbb-a407-d4a30f8ce8d2",
+ "id": "bundle--187f128c-d63e-48de-b885-2a35e3879a6e",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-24T15:09:07.609Z",
- "name": "Safety Instrumented Systems",
- "description": "Utilize Safety Instrumented Systems (SIS) to provide an additional layer of protection to hazard scenarios that may cause property damage. A SIS will typically include sensors, logic solvers, and a final control element that can be used to automatically respond to an hazardous condition (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) . Ensure that all SISs are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
"type": "course-of-action",
"id": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848",
"created": "2019-06-06T21:16:18.709Z",
@@ -31,7 +22,16 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:32.513Z",
+ "name": "Safety Instrumented Systems",
+ "description": "Utilize Safety Instrumented Systems (SIS) to provide an additional layer of protection to hazard scenarios that may cause property damage. A SIS will typically include sensors, logic solvers, and a final control element that can be used to automatically respond to an hazardous condition (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) . Ensure that all SISs are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json b/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json
index 8f26930a68..797f645a76 100644
--- a/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json
+++ b/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json
@@ -1,20 +1,9 @@
{
"type": "bundle",
- "id": "bundle--2b055b47-71c4-4353-849a-02028be166a3",
+ "id": "bundle--7e778b21-f997-474f-a488-ad803b66b26d",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T13:14:30.311Z",
- "name": "User Training",
- "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
- "labels": [
- "NIST SP 800-53 Rev. 5 - AT-2"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba",
"created": "2019-06-06T16:50:04.963Z",
@@ -30,8 +19,19 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:32.717Z",
+ "name": "User Training",
+ "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+ "labels": [
+ "NIST SP 800-53 Rev. 5 - AT-2"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json b/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json
index 49973088e6..36e08cdbc3 100644
--- a/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json
+++ b/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--08a2e176-7abb-4f22-b4ed-abbaaf623e50",
+ "id": "bundle--c6b83937-a8b3-43ac-9c56-075712e37000",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:49:12.466Z",
- "name": "Multi-factor Authentication",
- "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Within industrial control environments assets such as low-level controllers, workstations, and HMIs have real-time operational control and safety requirements which may restrict the use of multi-factor.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 1.7",
- "IEC 62443-4-2:2019 - CR 1.7",
- "NIST SP 800-53 Rev. 5 - IA-2"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd",
"created": "2019-06-10T20:53:36.319Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:32.907Z",
+ "name": "Multi-factor Authentication",
+ "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Within industrial control environments assets such as low-level controllers, workstations, and HMIs have real-time operational control and safety requirements which may restrict the use of multi-factor.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 1.7",
+ "IEC 62443-4-2:2019 - CR 1.7",
+ "NIST SP 800-53 Rev. 5 - IA-2"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json b/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json
index cd8c16d43c..74428c11d2 100644
--- a/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json
+++ b/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json
@@ -1,20 +1,9 @@
{
"type": "bundle",
- "id": "bundle--17a6ffd4-bbb4-41a2-96fd-af1d2e183934",
+ "id": "bundle--a5539a91-b700-4162-b0a0-fdeeb452cb13",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T13:15:23.350Z",
- "name": "Vulnerability Scanning",
- "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
- "labels": [
- "NIST SP 800-53 Rev. 5 - RA-5"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037",
"created": "2019-06-06T16:47:30.700Z",
@@ -30,8 +19,19 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:33.110Z",
+ "name": "Vulnerability Scanning",
+ "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
+ "labels": [
+ "NIST SP 800-53 Rev. 5 - RA-5"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json b/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json
index 8075c2b8f7..c640bd4427 100644
--- a/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json
+++ b/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--438c1611-51cf-4f4b-ba9a-71251ce834fc",
+ "id": "bundle--5740fcc7-f713-4940-980e-4bc50bc69461",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json b/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json
index 26beb53788..3ed2c0bf69 100644
--- a/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json
+++ b/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--91b63604-0745-4d59-9d83-f77b0c02ff43",
+ "id": "bundle--a3c915f0-1e66-4ab9-88ea-7da2341ba0c4",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T13:14:10.061Z",
- "name": "User Account Management",
- "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 1.3",
- "IEC 62443-4-2:2019 - CR 1.3",
- "NIST SP 800-53 Rev. 5 - AC-2"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48",
"created": "2019-06-06T16:50:58.767Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:33.298Z",
+ "name": "User Account Management",
+ "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 1.3",
+ "IEC 62443-4-2:2019 - CR 1.3",
+ "NIST SP 800-53 Rev. 5 - AC-2"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json b/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json
index 553bad60a2..a7b4e413e4 100644
--- a/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json
+++ b/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json
@@ -1,20 +1,9 @@
{
"type": "bundle",
- "id": "bundle--ee2b4b82-33ce-417d-aa2d-f5c2f5154144",
+ "id": "bundle--fda41087-60c0-49c4-8c2f-efe9628fec5d",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:52:11.728Z",
- "name": "Redundancy of Service",
- "description": "Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.",
- "labels": [
- "NIST SP 800-53 Rev. 5 - CP-9"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd",
"created": "2019-06-06T21:16:18.709Z",
@@ -30,8 +19,19 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:33.475Z",
+ "name": "Redundancy of Service",
+ "description": "Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.",
+ "labels": [
+ "NIST SP 800-53 Rev. 5 - CP-9"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json b/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json
index d680a89a11..886b6981b8 100644
--- a/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json
+++ b/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--baf8a6a2-ff91-4232-b843-fd385f66673e",
+ "id": "bundle--960c4370-d8d8-4938-ac68-0b47722d76e7",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T13:10:12.604Z",
- "name": "Restrict File and Directory Permissions",
- "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 2.1",
- "IEC 62443-4-2:2019 - CR 2.1",
- "NIST SP 800-53 Rev. 5 - AC-6"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
"created": "2019-06-06T20:54:49.964Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:33.651Z",
+ "name": "Restrict File and Directory Permissions",
+ "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 2.1",
+ "IEC 62443-4-2:2019 - CR 2.1",
+ "NIST SP 800-53 Rev. 5 - AC-6"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json b/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json
index c8dbfaf783..2cb89191bd 100644
--- a/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json
+++ b/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--411ca933-a160-49de-a175-90f3e264173c",
+ "id": "bundle--171c312a-68cd-423e-972c-963d5cefe636",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-20T13:12:04.727Z",
- "name": "Software Configuration",
- "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated with how the software operates.",
- "labels": [
- "IEC 62443-3-3:2013 - SR 7.7",
- "IEC 62443-4-2:2019 - CR 7.7",
- "NIST SP 800-53 Rev. 5 - CM-7"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21",
"created": "2019-07-19T14:40:23.529Z",
@@ -32,8 +19,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:33.833Z",
+ "name": "Software Configuration",
+ "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated with how the software operates.",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 7.7",
+ "IEC 62443-4-2:2019 - CR 7.7",
+ "NIST SP 800-53 Rev. 5 - CM-7"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json b/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json
index 32a7cfa92a..e137fe36bf 100644
--- a/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json
+++ b/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json
@@ -1,23 +1,9 @@
{
"type": "bundle",
- "id": "bundle--7475ecd3-879f-4b87-a31a-e691d07bac56",
+ "id": "bundle--2b8eea45-e1f4-490b-b52e-7dd35eee6353",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:32:18.375Z",
- "name": "Antivirus/Antimalware",
- "description": "Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. (Citation: NCCIC August 2018)",
- "labels": [
- "IEC 62443-3-3:2013 - SR 3.2",
- "IEC 62443-4-2:2019 - CR 3.2",
- "NIST SP 800-53 Rev. 4 - SI-3",
- "NIST SP 800-53 Rev. 5 - SI-3"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7",
"created": "2019-06-11T17:08:33.055Z",
@@ -38,8 +24,22 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:34.009Z",
+ "name": "Antivirus/Antimalware",
+ "description": "Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. (Citation: NCCIC August 2018)",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 3.2",
+ "IEC 62443-4-2:2019 - CR 3.2",
+ "NIST SP 800-53 Rev. 4 - SI-3",
+ "NIST SP 800-53 Rev. 5 - SI-3"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json b/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json
index db6ce4cd91..2600f2780d 100644
--- a/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json
+++ b/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json
@@ -1,22 +1,9 @@
{
"type": "bundle",
- "id": "bundle--2fe4e25d-f87d-4351-ad7c-7746e597743e",
+ "id": "bundle--8f5114b1-433e-434a-bd75-b89efcb7690a",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-09-19T21:48:44.925Z",
- "name": "Minimize Wireless Signal Propagation",
- "description": "Wireless signals frequently propagate outside of organizational boundaries, which provide opportunities for adversaries to monitor or gain unauthorized access to the wireless network. (Citation: CISA March 2010) To minimize this threat, organizations should implement measures to detect, understand, and reduce unnecessary RF propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)",
- "labels": [
- "IEC 62443-3-3:2013 - SR 1.6",
- "IEC 62443-4-2:2019 - CR 1.6",
- "NIST SP 800-53 Rev. 5 - SC-40"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
"type": "course-of-action",
"id": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e",
"created": "2020-09-11T16:32:21.854Z",
@@ -42,8 +29,21 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:34.172Z",
+ "name": "Minimize Wireless Signal Propagation",
+ "description": "Wireless signals frequently propagate outside of organizational boundaries, which provide opportunities for adversaries to monitor or gain unauthorized access to the wireless network. (Citation: CISA March 2010) To minimize this threat, organizations should implement measures to detect, understand, and reduce unnecessary RF propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)",
+ "labels": [
+ "IEC 62443-3-3:2013 - SR 1.6",
+ "IEC 62443-4-2:2019 - CR 1.6",
+ "NIST SP 800-53 Rev. 5 - SC-40"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/ics-attack.json b/ics-attack/ics-attack.json
index 409eba52b6..18bd32e2f6 100644
--- a/ics-attack/ics-attack.json
+++ b/ics-attack/ics-attack.json
@@ -1 +1 @@
-{"type":"bundle","id":"bundle--dc396368-a9e5-4d39-98f5-c2a9bee3ae47","objects":[{"tactic_refs":["x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a","x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45","x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac","x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046","x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7","x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453","x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924","x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9","x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f","x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134","x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024","x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279"],"x_mitre_domains":["ics-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"created":"2018-10-17T00:14:20.652Z","description":"The full ATT&CK for ICS Matrix includes techniques spanning various ICS assets and can be used to navigate through the knowledge base.","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","external_id":"ics-attack","url":"https://attack.mitre.org/matrices/ics/"}],"id":"x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7","modified":"2022-05-06T17:47:24.396Z","name":"ATT&CK for ICS","type":"x-mitre-matrix","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"modified":"2023-09-19T21:33:26.200Z","name":"Application Isolation and Sandboxing","description":"Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.","labels":["IEC 62443-3-3:2013 - SR 5.4","IEC 62443-4-2:2019 - CR 5.4","NIST SP 800-53 Rev. 5 - SI-3"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea","created":"2019-06-11T17:06:56.230Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0948","external_id":"M0948"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:44:59.425Z","name":"Filter Network Traffic","description":"Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)","labels":["IEC 62443-3-3:2013 - SR 5.1","IEC 62443-4-2:2019 - CR 5.1","NIST SP 800-53 Rev. 5 - AC-3; SC-7"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","created":"2019-06-11T16:33:55.337Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0937","external_id":"M0937"},{"source_name":"Centre for the Protection of National Infrastructure February 2005","description":"Centre for the Protection of National Infrastructure 2005, February FIREWALL DEPLOYMENT FOR SCADA AND PROCESS CONTROL NETWORKS Retrieved. 2020/09/17 ","url":"https://www.energy.gov/sites/prod/files/Good%20Practices%20Guide%20for%20Firewall%20Deployment.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-20T13:11:35.668Z","name":"Restrict Web-Based Content","description":"Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.","labels":["IEC 62443-3-3:2013 - SR 2.4","IEC 62443-4-2:2019 - HDR 2.4","NIST SP 800-53 Rev. 5 - SC-18"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144","created":"2019-06-06T20:52:59.206Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0921","external_id":"M0921"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-20T13:14:57.819Z","name":"Validate Program Inputs","description":"Devices and programs designed to interact with control system parameters should validate the format and content of all user inputs and actions to ensure the values are within intended operational ranges. These values should be evaluated and further enforced through the program logic running on the field controller. If a problematic or invalid input is identified, the programs should either utilize a predetermined safe value or enter a known safe state, while also logging or alerting on the event.(Citation: PLCTop20 Mar 2023)","labels":["IEC 62443-3-3:2013 - SR 3.5","IEC 62443-3-3:2013 - SR 3.6","IEC 62443-4-2:2019 - CR 3.5","IEC 62443-4-2:2019 - CR 3.6","NIST SP 800-53 Rev. 5 - SI-10"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517","created":"2023-03-22T15:49:55.439Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0818","external_id":"M0818"},{"source_name":"PLCTop20 Mar 2023","description":"PLC Security, Top 20 Community. (2021, June 15). Secure PLC Coding Practices: Top 20 version 1.0. Retrieved March 22, 2023.","url":"https://plc-security.com/content/Top_20_Secure_PLC_Coding_Practices_V1.0.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:50:12.354Z","name":"Network Segmentation","description":"Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)","labels":["IEC 62443-3-3:2013 - SR 5.1","IEC 62443-4-2:2019 - CR 5.1","NIST SP 800-53 Rev. 5 - AC-3"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","created":"2019-06-10T20:41:03.271Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0930","external_id":"M0930"},{"source_name":"IEC August 2013","description":"IEC 2013, August Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels Retrieved. 2020/09/25 ","url":"https://webstore.iec.ch/publication/7033"},{"source_name":"IEC February 2019","description":"IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ","url":"https://webstore.iec.ch/publication/34421"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-20T13:10:52.949Z","name":"Restrict Library Loading","description":"Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.","labels":["IEC 62443-3-3:2013 - SR 7.7","IEC 62443-4-2:2019 - CR 7.7","NIST SP 800-53 Rev. 5 - CM-7"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3","created":"2019-06-11T17:00:01.740Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0944","external_id":"M0944"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Active Directory Configuration","description":"Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"course-of-action","id":"course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722","created":"2019-06-06T16:39:58.291Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0915","external_id":"M0915"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-09-19T21:49:53.366Z","name":"Network Intrusion Prevention","description":"Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.","labels":["IEC 62443-3-3:2013 - SR 6.2","IEC 62443-4-2:2019 - CR 6.2","NIST SP 800-53 Rev. 5 - SI-4"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--3172222b-4983-43f7-8983-753ded4f13bc","created":"2019-06-10T20:46:02.263Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0931","external_id":"M0931"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-20T13:11:12.773Z","name":"Restrict Registry Permissions","description":"Restrict the ability to modify certain hives or keys in the Windows Registry.","labels":["IEC 62443-3-3:2013 - SR 2.1","IEC 62443-4-2:2019 - CR 2.1","NIST SP 800-53 Rev. 5 - AC-6"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3","created":"2019-06-06T20:58:59.577Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0924","external_id":"M0924"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-30T20:55:14.442Z","name":"Data Loss Prevention","description":"Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.","labels":["IEC 62443-3-3:2013 - SR 4.1","IEC 62443-4-2:2019 - CR 4.1"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"course-of-action","id":"course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5","created":"2020-09-11T16:32:21.854Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0803","external_id":"M0803"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-09-19T21:30:56.250Z","name":"Access Management","description":"Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)","labels":["IEC 62443-3-3:2013 - SR 2.1","IEC 62443-4-2:2019 - CR 2.1","NIST SP 800-53 Rev. 5 - AC-3"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","created":"2020-09-11T16:32:21.854Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0801","external_id":"M0801"},{"source_name":"Centre for the Protection of National Infrastructure November 2010","description":"Centre for the Protection of National Infrastructure 2010, November Configuring and Managing Remote Access for Industrial Control Systems Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/RP_Managing_Remote_Access_S508NC.pdf"},{"source_name":"McCarthy, J et al. July 2018","description":"McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ","url":"https://doi.org/10.6028/NIST.SP.1800-2"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Mitigation Limited or Not Effective","description":"This type of attack technique cannot be easily mitigated with preventative controls since it is based on the abuse of system features.","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"course-of-action","id":"course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433","created":"2020-09-11T16:32:21.854Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0816","external_id":"M0816"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-09-19T21:44:04.416Z","name":"Exploit Protection","description":"Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.","labels":["IEC 62443-3-3:2013 - SR 3.2","IEC 62443-4-2:2019 - CR 3.2","NIST SP 800-53 Rev. 5 - SI-16"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--49363b74-d506-4342-bd63-320586ebadb9","created":"2019-06-11T17:10:57.070Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0950","external_id":"M0950"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:48:00.950Z","name":"Limit Access to Resource Over Network","description":"Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.","labels":["IEC 62443-3-3:2013 - SR 5.1","IEC 62443-4-2:2019 - CR 5.1","NIST SP 800-53 Rev. 5 - AC-3; SC-7"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110","created":"2019-06-11T16:30:16.672Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0935","external_id":"M0935"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:43:44.551Z","name":"Execution Prevention","description":"Block execution of code on a system through application control, and/or script blocking.","labels":["IEC 62443-3-3:2013 - SR 3.2","IEC 62443-4-2:2019 - CR 3.2","NIST SP 800-53 Rev. 5 - SI-3"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30","created":"2019-06-11T16:35:25.488Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0938","external_id":"M0938"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-20T13:12:51.139Z","name":"Static Network Configuration","description":"Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.","labels":["IEC 62443-3-3:2013 - SR 7.7","IEC 62443-4-2:2019 - CR 7.7","NIST SP 800-53 Rev. 5 - CM-7"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.1","type":"course-of-action","id":"course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a","created":"2019-06-06T21:16:18.709Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0814","external_id":"M0814"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:51:14.526Z","name":"Password Policies","description":"Set and enforce secure password policies for accounts.","labels":["IEC 62443-3-3:2013 - SR 1.5","IEC 62443-4-2:2019 - CR 1.5","NIST SP 800-53 Rev. 5 - IA-5"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65","created":"2019-06-06T21:10:35.792Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0927","external_id":"M0927"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:51:40.366Z","name":"Privileged Account Management","description":"Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.","labels":["IEC 62443-3-3:2013 - SR 1.3","IEC 62443-4-2:2019 - CR 1.3","NIST SP 800-53 Rev. 5 - AC-2"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5","created":"2019-06-06T21:09:47.115Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0926","external_id":"M0926"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-20T17:02:00.299Z","name":"Human User Authentication","description":"Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).","labels":["IEC 62443-3-3:2013 - SR 1.1","IEC 62443-4-2:2019 - CR 1.1","NIST SP 800-53 Rev. 5 - IA-2"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.1","type":"course-of-action","id":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","created":"2020-09-11T16:32:21.854Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0804","external_id":"M0804"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"SSL/TLS Inspection","description":"Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"course-of-action","id":"course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c","created":"2019-06-06T20:15:34.146Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0920","external_id":"M0920"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-09-19T21:39:41.056Z","name":"Code Signing","description":"Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.","labels":["IEC 62443-3-3:2013 - SR 3.4","IEC 62443-4-2:2019 - CR 3.4","NIST SP 800-53 Rev. 5 - SI-7"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a","created":"2019-06-11T17:01:25.405Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0945","external_id":"M0945"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-10-14T20:31:04.927Z","name":"Software Process and Device Authentication","description":"Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.","labels":["IEC 62443-3-3:2013 - SR 1.2","IEC 62443-4-2:2019 - CR 1.2","NIST SP 800-53 Rev. 5 - IA-3"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.1","type":"course-of-action","id":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","created":"2019-06-06T21:16:18.709Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0813","external_id":"M0813"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:42:52.198Z","name":"Encrypt Network Traffic","description":"Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.","labels":["IEC 62443-3-3:2013 - SR 4.1","IEC 62443-4-2:2019 - CR 4.1","NIST SP 800-53 Rev. 5 - SC-8"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a","created":"2020-09-11T16:32:21.854Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0808","external_id":"M0808"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:31:48.809Z","name":"Account Use Policies","description":"Configure features related to account use like login attempt lockouts, specific login times, etc.","labels":["IEC 62443-3-3:2013 - SR 1.11","IEC 62443-4-2:2019 - CR 1.11","NIST SP 800-53 Rev. 5 - IA-5"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02","created":"2019-06-11T16:32:21.854Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0936","external_id":"M0936"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:32:48.390Z","name":"Application Developer Guidance","description":"This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.","labels":["NIST SP 800-53 Rev. 4 - AT-3","NIST SP 800-53 Rev. 4 - AT-3"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7","created":"2017-10-25T14:48:53.732Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0913","external_id":"M0913"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:38:22.681Z","name":"Boot Integrity","description":"Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.","labels":["IEC 62443-4-2:2019 - CR 3.14","NIST SP 800-53 Rev. 5 - SI-7"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405","created":"2019-06-11T17:02:36.984Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0946","external_id":"M0946"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Mechanical Protection Layers","description":"Utilize a layered protection design based on physical or mechanical protection systems to prevent damage to property, equipment, human safety, or the environment. Examples include interlocks, rupture disk, release values, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) ","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"course-of-action","id":"course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401","created":"2020-09-11T16:32:21.854Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0805","external_id":"M0805"},{"source_name":"A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004","description":"A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ","url":"https://www.icheme.org/media/9906/xviii-paper-23.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-09-20T13:13:41.305Z","name":"Update Software","description":"Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.","labels":["IEC 62443-4-2:2019 - CR 3.10","NIST SP 800-53 Rev. 5 - SI-2"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e","created":"2019-06-11T17:12:55.207Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0951","external_id":"M0951"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-30T20:55:16.383Z","name":"Watchdog Timers","description":"Utilize watchdog timers to ensure devices can quickly detect whether a system is unresponsive.","labels":["IEC 62443-4-2:2019 - CR 7.2"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"course-of-action","id":"course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53","created":"2019-06-06T21:16:18.709Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0815","external_id":"M0815"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-03-30T20:55:15.415Z","name":"Operational Information Confidentiality","description":"Deploy mechanisms to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).","labels":["IEC 62443-3-3:2013 - SR 4.1","IEC 62443-4-2:2019 - CR 4.1"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"course-of-action","id":"course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa","created":"2019-06-06T21:16:18.709Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0809","external_id":"M0809"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-09-19T21:50:30.709Z","name":"Operating System Configuration","description":"Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.","labels":["IEC 62443-3-3:2013 - SR 7.7","IEC 62443-4-2:2019 - CR 7.7","NIST SP 800-53 Rev. 5 - CM-7"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce","created":"2019-06-06T21:16:18.709Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0928","external_id":"M0928"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:48:22.980Z","name":"Limit Hardware Installation","description":"Block users or groups from installing or using unapproved hardware on systems, including USB devices.","labels":["IEC 62443-3-3:2013 - SR 3.2","IEC 62443-4-2:2019 - EDR 3.2","NIST SP 800-53 Rev. 5 - MP-7"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0","created":"2019-06-11T16:28:41.809Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0934","external_id":"M0934"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:43:17.085Z","name":"Encrypt Sensitive Information","description":"Protect sensitive data-at-rest with strong encryption.","labels":["IEC 62443-3-3:2013 - SR 4.1","IEC 62443-4-2:2019 - CR 4.1","NIST SP 800-53 Rev. 5 - SC-28"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc","created":"2019-06-11T16:43:44.834Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0941","external_id":"M0941"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:49:34.958Z","name":"Network Allowlists","description":"Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.","labels":["NIST SP 800-53 Rev. 5 - AC-3"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","created":"2019-06-10T20:53:36.319Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0807","external_id":"M0807"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-20T13:13:12.169Z","name":"Supply Chain Management","description":"Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.","labels":["NIST SP 800-53 Rev. 4 - SA-12","NIST SP 800-53 Rev. 5 - SR-1"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c","created":"2021-04-12T17:00:21.233Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0817","external_id":"M0817"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:41:39.667Z","name":"Data Backup","description":"Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.","labels":["IEC 62443-3-3:2013 - SR 7.3","IEC 62443-4-2:2019 - CR 7.3","NIST SP 800-53 Rev. 5 - CP-9"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--ad12819e-3211-4291-b360-069f280cff0a","created":"2019-07-19T14:33:33.543Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0953","external_id":"M0953"},{"source_name":"Department of Homeland Security October 2009","description":"Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:50:55.129Z","name":"Out-of-Band Communications Channel","description":"Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)","labels":["NIST SP 800-53 Rev. 5 - SC-37"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","created":"2019-06-06T21:16:18.709Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0810","external_id":"M0810"},{"source_name":"Defense Advanced Research Projects Agency","description":"Defense Advanced Research Projects Agency National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 Rapid Attack Detection, Isolation and Characterization Systems (RADICS) Retrieved. 2020/09/17 ","url":"https://www.darpa.mil/program/rapid-attack-detection-isolation-and-characterization-systems"},{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:34:08.571Z","name":"Audit","description":"Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.","labels":["IEC 62443-3-3:2013 - SR 3.4","IEC 62443-4-2:2019 - CR 3.4","NIST SP 800-53 Rev. 4 - SI-7","NIST SP 800-53 Rev. 5 - SI-7"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","created":"2019-06-11T17:06:14.029Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0947","external_id":"M0947"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:40:49.135Z","name":"Communication Authenticity","description":"When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.","labels":["IEC 62443-3-3:2013 - SR 3.1","IEC 62443-4-2:2019 - CR 3.1","NIST SP 800-53 Rev. 5 - SC-8; SC-23"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","created":"2020-09-11T16:32:21.854Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0802","external_id":"M0802"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:42:11.231Z","name":"Disable or Remove Feature or Program","description":"Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.","labels":["IEC 62443-3-3:2013 - SR 7.7","IEC 62443-4-2:2019 - CR 7.7","NIST SP 800-53 Rev. 5 - CM-7"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--d0909119-2f71-4923-87db-b649881672d7","created":"2019-06-11T16:45:19.740Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0942","external_id":"M0942"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Threat Intelligence Program","description":"A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"course-of-action","id":"course-of-action--d48b79b2-076d-483e-949c-0d38aa347499","created":"2019-06-06T19:55:50.927Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0919","external_id":"M0919"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"Safety Instrumented Systems","description":"Utilize Safety Instrumented Systems (SIS) to provide an additional layer of protection to hazard scenarios that may cause property damage. A SIS will typically include sensors, logic solvers, and a final control element that can be used to automatically respond to an hazardous condition (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) . Ensure that all SISs are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"course-of-action","id":"course-of-action--da44255d-85c5-492c-baf3-ee823d44f848","created":"2019-06-06T21:16:18.709Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0812","external_id":"M0812"},{"source_name":"A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004","description":"A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ","url":"https://www.icheme.org/media/9906/xviii-paper-23.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-09-20T13:14:30.311Z","name":"User Training","description":"Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.","labels":["NIST SP 800-53 Rev. 5 - AT-2"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba","created":"2019-06-06T16:50:04.963Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0917","external_id":"M0917"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:49:12.466Z","name":"Multi-factor Authentication","description":"Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Within industrial control environments assets such as low-level controllers, workstations, and HMIs have real-time operational control and safety requirements which may restrict the use of multi-factor.","labels":["IEC 62443-3-3:2013 - SR 1.7","IEC 62443-4-2:2019 - CR 1.7","NIST SP 800-53 Rev. 5 - IA-2"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd","created":"2019-06-10T20:53:36.319Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0932","external_id":"M0932"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-20T13:15:23.350Z","name":"Vulnerability Scanning","description":"Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.","labels":["NIST SP 800-53 Rev. 5 - RA-5"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037","created":"2019-06-06T16:47:30.700Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0916","external_id":"M0916"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-20T17:01:38.562Z","name":"Authorization Enforcement","description":"The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)","labels":["IEC 62443-3-3:2013 - SR 2.1","IEC 62443-4-2:2019 - CR 2.1","NIST SP 800-53 Rev. 5 - AC-3"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.1","type":"course-of-action","id":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","created":"2020-09-11T16:32:21.854Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0800","external_id":"M0800"},{"source_name":"Institute of Electrical and Electronics Engineers January 2014","description":"Institute of Electrical and Electronics Engineers 2014, January 1686-2013 - IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities Retrieved. 2020/09/17 ","url":"https://standards.ieee.org/standard/1686-2013.html"},{"source_name":"International Electrotechnical Commission July 2020","description":"International Electrotechnical Commission 2020, July 17 IEC 62351 - Power systems management and associated information exchange - Data and communications security Retrieved. 2020/09/17 ","url":"https://webstore.iec.ch/publication/6912"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-20T13:14:10.061Z","name":"User Account Management","description":"Manage the creation, modification, use, and permissions associated to user accounts.","labels":["IEC 62443-3-3:2013 - SR 1.3","IEC 62443-4-2:2019 - CR 1.3","NIST SP 800-53 Rev. 5 - AC-2"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48","created":"2019-06-06T16:50:58.767Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0918","external_id":"M0918"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:52:11.728Z","name":"Redundancy of Service","description":"Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.","labels":["NIST SP 800-53 Rev. 5 - CP-9"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd","created":"2019-06-06T21:16:18.709Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0811","external_id":"M0811"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-20T13:10:12.604Z","name":"Restrict File and Directory Permissions","description":"Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.","labels":["IEC 62443-3-3:2013 - SR 2.1","IEC 62443-4-2:2019 - CR 2.1","NIST SP 800-53 Rev. 5 - AC-6"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971","created":"2019-06-06T20:54:49.964Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0922","external_id":"M0922"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-20T13:12:04.727Z","name":"Software Configuration","description":"Implement configuration changes to software (other than the operating system) to mitigate security risks associated with how the software operates.","labels":["IEC 62443-3-3:2013 - SR 7.7","IEC 62443-4-2:2019 - CR 7.7","NIST SP 800-53 Rev. 5 - CM-7"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21","created":"2019-07-19T14:40:23.529Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0954","external_id":"M0954"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:32:18.375Z","name":"Antivirus/Antimalware","description":"Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. (Citation: NCCIC August 2018)","labels":["IEC 62443-3-3:2013 - SR 3.2","IEC 62443-4-2:2019 - CR 3.2","NIST SP 800-53 Rev. 4 - SI-3","NIST SP 800-53 Rev. 5 - SI-3"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7","created":"2019-06-11T17:08:33.055Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0949","external_id":"M0949"},{"source_name":"NCCIC August 2018","description":"NCCIC 2018, August 2 Recommended Practice: Updating Antivirus in an Industrial Control System Retrieved. 2020/09/17 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/Recommended%20Practice%20Updating%20Antivirus%20in%20an%20Industrial%20Control%20System_S508C.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-19T21:48:44.925Z","name":"Minimize Wireless Signal Propagation","description":"Wireless signals frequently propagate outside of organizational boundaries, which provide opportunities for adversaries to monitor or gain unauthorized access to the wireless network. (Citation: CISA March 2010) To minimize this threat, organizations should implement measures to detect, understand, and reduce unnecessary RF propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)","labels":["IEC 62443-3-3:2013 - SR 1.6","IEC 62443-4-2:2019 - CR 1.6","NIST SP 800-53 Rev. 5 - SC-40"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e","created":"2020-09-11T16:32:21.854Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M0806","external_id":"M0806"},{"source_name":"CISA March 2010","description":"CISA 2010, March Securing Wireless Networks Retrieved. 2020/09/17 ","url":"https://us-cert.cisa.gov/ncas/tips/ST05-003"},{"source_name":"DHS National Urban Security Technology Laboratory April 2019","description":"DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ","url":"https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-08T22:04:48.834Z","name":"EKANS","description":"[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"2.0","x_mitre_aliases":["EKANS","SNAKEHOSE"],"type":"malware","id":"malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5","created":"2021-02-12T20:07:42.883Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0605","external_id":"S0605"},{"source_name":"EKANS","description":"(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)(Citation: FireEye Ransomware Feb 2020)"},{"source_name":"SNAKEHOSE","description":"(Citation: FireEye Ransomware Feb 2020)"},{"source_name":"Dragos EKANS","description":"Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.","url":"https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/"},{"source_name":"Palo Alto Unit 42 EKANS","description":"Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.","url":"https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/"},{"source_name":"FireEye Ransomware Feb 2020","description":"Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.","url":"https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-12T17:18:25.971Z","name":"Backdoor.Oldrea","description":"[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"2.0","x_mitre_aliases":["Backdoor.Oldrea","Havex"],"type":"malware","id":"malware--083bb47b-02c8-4423-81a2-f9ef58572974","created":"2017-05-31T21:32:59.661Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0093","external_id":"S0093"},{"source_name":"Gigamon Berserk Bear October 2021","description":"Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.","url":"https://vblocalhost.com/uploads/VB2021-Slowik.pdf"},{"source_name":"Symantec Dragonfly Sept 2017","description":"Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.","url":"https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers"},{"source_name":"Symantec Dragonfly","description":"Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.","url":"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-10T23:46:32.577Z","name":"Stuxnet","description":"[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"1.4","x_mitre_aliases":["Stuxnet","W32.Stuxnet"],"type":"malware","id":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","created":"2020-12-14T17:34:58.457Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0603","external_id":"S0603"},{"source_name":"W32.Stuxnet","description":"(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) "},{"source_name":"CISA ICS Advisory ICSA-10-272-01","description":"CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020.","url":"https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01"},{"source_name":"ESET Stuxnet Under the Microscope","description":"Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.","url":"https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf"},{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"},{"source_name":"Langer Stuxnet","description":"Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.","url":"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Windows"],"x_mitre_domains":["ics-attack"],"x_mitre_aliases":["Industroyer","CRASHOVERRIDE"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"name":"Industroyer","description":"[Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001) is a sophisticated piece of malware designed to cause an [Impact](https://collaborate.mitre.org/attackics/index.php/Impact) to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.(Citation: ESET Win32/Industroyer) Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride)(Citation: CISA Alert (TA17-163A))(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2019)","id":"malware--1d8dccb3-e779-4702-aeb1-6627a22cc585","type":"malware","x_mitre_version":"1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2017-05-31T21:33:21.973Z","modified":"2021-10-21T14:00:00.188Z","external_references":[{"external_id":"S1004","source_name":"mitre-ics-attack","url":"https://collaborate.mitre.org/attackics/index.php/Software/S0001"},{"source_name":"ESET Win32/Industroyer","description":"Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"},{"source_name":"Dragos Crashoverride","description":"Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.","url":"https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf"},{"source_name":"CISA Alert TA17-163A CrashOverride June 2017","description":"CISA. (2017, June 12). Alert (TA17-163A). Retrieved October 22, 2019.","url":"https://us-cert.cisa.gov/ncas/alerts/TA17-163A"},{"source_name":"Dragos Crashoverride 2018","description":"Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.","url":"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"},{"source_name":"Dragos Crashoverride 2019","description":"Joe Slowik. (2019, August 15). CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack. Retrieved October 22, 2019.","url":"https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":true},{"labels":["malware"],"x_mitre_platforms":["Windows"],"x_mitre_domains":["ics-attack"],"x_mitre_aliases":["Bad Rabbit","Diskcoder.D"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"name":"Bad Rabbit","description":"[Bad Rabbit](https://collaborate.mitre.org/attackics/index.php/Software/S0005) is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine. (Citation: ESET Bad Rabbit Oct 2017)","type":"malware","x_mitre_version":"1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","id":"malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec","created":"2017-05-31T21:32:59.661Z","modified":"2021-10-21T14:00:00.188Z","external_references":[{"external_id":"S1001","source_name":"mitre-ics-attack","url":"https://collaborate.mitre.org/attackics/index.php/Software/S0005"},{"description":"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/","source_name":"ESET Bad Rabbit Oct 2017","url":"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"},{"description":"Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov. (2017, October 27). Bad Rabbit Ransomware. Retrieved October 27, 2019.","source_name":"Kaspersky Bad Rabbit Oct 2017","url":"https://securelist.com/bad-rabbit-ransomware/82851/"},{"description":"Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.","source_name":"Dragos IT Ransomware for ICS Environments Apr 2019","url":"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":true},{"modified":"2022-10-12T17:29:57.200Z","name":"Bad Rabbit","description":"[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) ","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["Bad Rabbit","Win32/Diskcoder.D"],"type":"malware","id":"malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a","created":"2021-02-09T14:35:39.455Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0606","external_id":"S0606"},{"source_name":"ESET Bad Rabbit","description":"M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.","url":"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"},{"source_name":"Secure List Bad Rabbit","description":"Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.","url":"https://securelist.com/bad-rabbit-ransomware/82851/"},{"source_name":"Dragos IT ICS Ransomware","description":"Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021.","url":"https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Windows"],"x_mitre_domains":["ics-attack"],"x_mitre_aliases":["Stuxnet"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"name":"Stuxnet","description":"[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.(Citation: Wired W32.Stuxnet Dossier Feb 2011)(Citation: Symantec W32.Stuxnet Writeup)(Citation: CISA ICS Advisory (ICSA-10-238-01B))(Citation: SCADAhacker Stuxnet Mitigation Jan 2014)","id":"malware--496bff4d-0700-4b28-b06f-f30a63002be7","x_mitre_version":"1.0","type":"malware","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2019-03-26T15:02:14.907Z","modified":"2021-10-21T14:00:00.188Z","external_references":[{"source_name":"mitre-ics-attack","external_id":"S1008","url":"https://collaborate.mitre.org/attackics/index.php/Software/S0010"},{"source_name":"Wired W32.Stuxnet Dossier Feb 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.","url":"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf"},{"source_name":"Symantec W32.Stuxnet Writeup","description":"Jarrad Shearer. (n.d.). W32.Stuxnet Writeup. Retrieved October 22, 2019.","url":"https://www.symantec.com/security-center/writeup/2010-071400-3123-99"},{"source_name":"CISA ICS Advisory ICSA-10-238-01B Stuxnet January 2014","description":"CISA. (2014, January 08). Stuxnet Malware Mitigation (Update B). Retrieved October 22, 2019.","url":"https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B"},{"source_name":"SCADAhacker Stuxnet Mitigation Jan 2014","description":"Joel Langill. (2014, January 21). Stuxnet Mitigation. Retrieved October 22, 2019.","url":"https://scadahacker.com/resources/stuxnet-mitigation.html"},{"source_name":"Langer Stuxnet Analysis Nov 2013","description":"Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.","url":"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":true},{"labels":["malware"],"x_mitre_platforms":["Windows"],"x_mitre_domains":["ics-attack"],"x_mitre_aliases":["Conficker","Downadup","Kido"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"name":"Conficker","description":"[Conficker](https://collaborate.mitre.org/attackics/index.php/Software/S0012) is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant. (Citation: Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary)","type":"malware","x_mitre_version":"1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","id":"malware--49c04994-1035-4b58-89b7-cf8956e3b423","created":"2017-05-31T21:32:59.661Z","modified":"2021-10-21T14:00:00.188Z","external_references":[{"external_id":"S1003","source_name":"mitre-ics-attack","url":"https://collaborate.mitre.org/attackics/index.php/Software/S0012"},{"description":"Catalin Cimpanu. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved October 14, 2019.","source_name":"Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary","url":"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"},{"description":"Symantec. (2015, June 30). Simple steps to protect yourself from the Conficker Worm. Retrieved December 5, 2019.","source_name":"Symantec Conficker Jun 2015","url":"https://support.symantec.com/us/en/article.tech93179.html"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":true},{"modified":"2022-10-12T17:59:55.276Z","name":"PLC-Blaster","description":"[PLC-Blaster](https://attack.mitre.org/software/S1006) is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016) (Citation: Spenneberg, Ralf 2016) ","x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["PLC-Blaster"],"type":"malware","id":"malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe","created":"2019-03-26T15:02:14.907Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1006","external_id":"S1006"},{"source_name":"Spenneberg, Ralf 2016","description":"Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ","url":"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf"},{"source_name":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016","description":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ","url":"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-06T14:08:40.134Z","name":"BlackEnergy","description":"[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"1.4","x_mitre_aliases":["BlackEnergy","Black Energy"],"type":"malware","id":"malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4","created":"2017-05-31T21:32:57.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0089","external_id":"S0089"},{"source_name":"F-Secure BlackEnergy 2014","description":"F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.","url":"https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-08T22:11:21.842Z","name":"NotPetya","description":"[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"2.0","x_mitre_aliases":["NotPetya","ExPetr","Diskcoder.C","GoldenEye","Petrwrap","Nyetya"],"type":"malware","id":"malware--5719af9d-6b16-46f9-9b28-fb019541ddbb","created":"2019-03-26T15:02:14.907Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0368","external_id":"S0368"},{"source_name":"ExPetr","description":"(Citation: ESET Telebots June 2017)"},{"source_name":"Diskcoder.C","description":"(Citation: ESET Telebots June 2017)"},{"source_name":"GoldenEye","description":"(Citation: Talos Nyetya June 2017)"},{"source_name":"Nyetya","description":"(Citation: Talos Nyetya June 2017)"},{"source_name":"Petrwrap","description":"(Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)"},{"source_name":"ESET Telebots June 2017","description":"Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.","url":"https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/"},{"source_name":"Talos Nyetya June 2017","description":"Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019.","url":"https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html"},{"source_name":"US District Court Indictment GRU Unit 74455 October 2020","description":"Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.","url":"https://www.justice.gov/opa/press-release/file/1328521/download"},{"source_name":"US-CERT NotPetya 2017","description":"US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.","url":"https://www.us-cert.gov/ncas/alerts/TA17-181A"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-08T22:15:47.458Z","name":"Conficker","description":"[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["Conficker","Kido","Downadup"],"type":"malware","id":"malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55","created":"2021-02-23T20:50:32.845Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0608","external_id":"S0608"},{"source_name":"Kido","description":"(Citation: SANS Conficker) "},{"source_name":"Downadup","description":"(Citation: SANS Conficker) "},{"source_name":"SANS Conficker","description":"Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.","url":"https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm"},{"source_name":"Conficker Nuclear Power Plant","description":"Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved February 18, 2021.","url":"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-17T20:05:34.648Z","name":"LockerGoga","description":"[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"2.0","x_mitre_contributors":["Joe Slowik - Dragos"],"x_mitre_aliases":["LockerGoga"],"type":"malware","id":"malware--5af7a825-2d9f-400d-931a-e00eb9e27f48","created":"2019-04-16T19:00:49.435Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0372","external_id":"S0372"},{"source_name":"CarbonBlack LockerGoga 2019","description":"CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.","url":"https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/"},{"source_name":"Unit42 LockerGoga 2019","description":"Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.","url":"https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-08-15T22:01:22.169Z","name":"VPNFilter","description":"[VPNFilter](https://attack.mitre.org/software/S1010) is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. [VPNFilter](https://attack.mitre.org/software/S1010) modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019) [VPNFilter](https://attack.mitre.org/software/S1010) was assessed to be replaced by [Sandworm Team](https://attack.mitre.org/groups/G0034) with [Cyclops Blink](https://attack.mitre.org/software/S0687) starting in 2019.(Citation: NCSC CISA Cyclops Blink Advisory February 2022)","x_mitre_platforms":["Network","Linux"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack","enterprise-attack"],"x_mitre_version":"2.0","x_mitre_aliases":["VPNFilter"],"type":"malware","id":"malware--6108f800-10b8-4090-944e-be579f01263d","created":"2019-03-26T15:02:14.907Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1010","external_id":"S1010"},{"source_name":"Carl Hurd March 2019","description":"Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ","url":"https://www.youtube.com/watch?v=yuZazP22rpI"},{"source_name":"NCSC CISA Cyclops Blink Advisory February 2022","description":"NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.","url":"https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"},{"source_name":"William Largent June 2018","description":"William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ","url":"https://blog.talosintelligence.com/2018/06/vpnfilter-update.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-08T22:17:50.971Z","name":"Duqu","description":"[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"1.2","x_mitre_aliases":["Duqu"],"type":"malware","id":"malware--68dca94f-c11d-421e-9287-7c501108e18c","created":"2017-05-31T21:32:31.188Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0038","external_id":"S0038"},{"source_name":"Symantec W32.Duqu","description":"Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.","url":"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-06T22:00:22.774Z","name":"Industroyer2","description":"[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)","x_mitre_platforms":["Field Controller/RTU/PLC/IED","Engineering Workstation"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack","enterprise-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["Industroyer2"],"type":"malware","id":"malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5","created":"2023-03-30T19:20:45.556Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1072","external_id":"S1072"},{"source_name":"Industroyer2 Blackhat ESET","description":"Anton Cherepanov, Robert Lipovsky. (2022, August). Industroyer2: Sandworm's Cyberwarfare Targets Ukraine's Power Grid. Retrieved April 6, 2023.","url":"https://www.youtube.com/watch?v=xC9iM5wVedQ"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Windows"],"x_mitre_domains":["ics-attack"],"x_mitre_aliases":["Killdisk"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"name":"Killdisk","description":"In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable. (Citation: ESET BlackEnergy Jan 2016)","id":"malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830","type":"malware","x_mitre_version":"1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2017-05-31T21:33:21.973Z","modified":"2021-10-21T14:00:00.188Z","external_references":[{"external_id":"S1005","source_name":"mitre-ics-attack","url":"https://collaborate.mitre.org/attackics/index.php/Software/S0016"},{"source_name":"ESET BlackEnergy Jan 2016","description":"Anton Cherepanov. (n.d.). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved October 29, 2019.","url":"https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"},{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":true},{"modified":"2023-03-08T22:20:20.868Z","name":"WannaCry","description":"[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"1.1","x_mitre_contributors":["Jan Miller, CrowdStrike"],"x_mitre_aliases":["WannaCry","WanaCry","WanaCrypt","WanaCrypt0r","WCry"],"type":"malware","id":"malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661","created":"2019-03-25T17:30:17.004Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0366","external_id":"S0366"},{"source_name":"WanaCrypt0r","description":"(Citation: LogRhythm WannaCry)"},{"source_name":"WCry","description":"(Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)"},{"source_name":"WanaCry","description":"(Citation: SecureWorks WannaCry Analysis)"},{"source_name":"WanaCrypt","description":"(Citation: SecureWorks WannaCry Analysis)"},{"source_name":"FireEye WannaCry 2017","description":"Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.","url":"https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html"},{"source_name":"SecureWorks WannaCry Analysis","description":"Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.","url":"https://www.secureworks.com/research/wcry-ransomware-analysis"},{"source_name":"Washington Post WannaCry 2017","description":"Dwoskin, E. and Adam, K. (2017, May 14). More than 150 countries affected by massive cyberattack, Europol says. Retrieved March 25, 2019.","url":"https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4"},{"source_name":"LogRhythm WannaCry","description":"Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.","url":"https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/"},{"source_name":"US-CERT WannaCry 2017","description":"US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.","url":"https://www.us-cert.gov/ncas/alerts/TA17-132A"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-17T16:12:43.754Z","name":"Triton","description":"[Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.(Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)(Citation: Dragos December 2017)(Citation: DHS CISA February 2019)(Citation: Schneider Electric January 2018)(Citation: Julian Gutmanis March 2019)(Citation: Schneider December 2018)(Citation: Jos Wetzels January 2018)","x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.1","x_mitre_aliases":["Triton","TRISIS","HatMan"],"type":"malware","id":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","created":"2019-03-26T15:02:14.907Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1009","external_id":"S1009"},{"source_name":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017","description":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ","url":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"},{"source_name":"DHS CISA February 2019","description":"DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ","url":"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"},{"source_name":"Dragos December 2017","description":"Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ","url":"https://dragos.com/blog/trisis/TRISIS-01.pdf"},{"source_name":"Jos Wetzels January 2018","description":"Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ","url":"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"},{"source_name":"Julian Gutmanis March 2019","description":"Julian Gutmanis 2019, March 11 Triton - A Report From The Trenches Retrieved. 2019/03/11 ","url":"https://www.youtube.com/watch?v=XwSJ8hloGvY"},{"source_name":"Schneider December 2018","description":"Schneider 2018, December 14 Security Notification EcoStruxure Triconex Tricon V3 Retrieved. 2019/03/08 ","url":"https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2017-347-01+Triconex+V3.pdf&p_Doc_Ref=SEVD-2017-347-01"},{"source_name":"Schneider Electric January 2018","description":"Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ","url":"https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Windows"],"x_mitre_domains":["ics-attack"],"x_mitre_aliases":["BlackEnergy 3"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"name":"BlackEnergy 3","description":"[BlackEnergy 3](https://collaborate.mitre.org/attackics/index.php/Software/S0004) is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid. (Citation: Booz Allen Hamilton)","type":"malware","x_mitre_version":"1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","id":"malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b","created":"2017-05-31T21:32:59.661Z","modified":"2021-04-29T14:49:39.188Z","external_references":[{"external_id":"S1002","source_name":"mitre-ics-attack","url":"https://collaborate.mitre.org/attackics/index.php/Software/S0004"},{"description":"Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.","source_name":"Booz Allen Hamilton","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":true},{"modified":"2024-09-12T14:43:31.224Z","name":"Fuxnet","description":"[Fuxnet](https://attack.mitre.org/software/S1157) is malware designed to impact the industrial network infrastructure managing control system sensors for utility operations in Moscow. [Fuxnet](https://attack.mitre.org/software/S1157) is linked to an entity referred to as the Blackjack hacking group, which is assessed to be linked to Ukrainian intelligence services.(Citation: Claroty Fuxnet 2024)","x_mitre_platforms":["Input/Output Server","Control Server"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Sharon Brizinov, Claroty Team82 Research"],"x_mitre_aliases":["Fuxnet"],"type":"malware","id":"malware--931e2489-8078-4f9f-85b2-a9211950e75b","created":"2024-09-11T22:47:34.585Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1157","external_id":"S1157"},{"source_name":"Claroty Fuxnet 2024","description":"Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.","url":"https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Windows"],"x_mitre_domains":["ics-attack"],"x_mitre_aliases":["EKANS","SNAKEHOSE"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_version":"1.0","type":"malware","modified":"2021-10-21T14:00:00.188Z","created":"2021-04-13T12:28:31.188Z","description":"[EKANS](https://collaborate.mitre.org/attackics/index.php/Software/S0017) is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.(Citation: Forbes Snake Ransomware June 2020)(Citation: MalwareByes Honda and Enel Ransomware June 2020)(Citation: Dragos EKANS February 2020) EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).(Citation: Dragos EKANS February 2020) If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the “Snake” malware associated with the Turla group. The ICS processes documented within the malware’s kill-list is similar to those defined by the MEGACORTEX software.(Citation: FireEye OT Ransomware July 2020)(Citation: Pylos January 2020)(Citation: Dragos EKANS June 2020)The ransomware was initially reported as “Snake”, however, to avoid confusion with the unrelated Turla APT group security researchers spelled it backwards as EKANS.","external_references":[{"source_name":"mitre-ics-attack","external_id":"S0017","url":"https://collaborate.mitre.org/attackics/index.php/Software/S0017"},{"source_name":"Forbes Snake Ransomware June 2020","description":"Davey Winder. (2020, June 10). Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations. Retrieved April 12, 2021.","url":"https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad"},{"source_name":"MalwareByes Honda and Enel Ransomware June 2020","description":"MalwareBytes. (2020, June 09). Honda and Enel impacted by cyber attack suspected to be ransomware. Retrieved April 12, 2021.","url":"https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/"},{"source_name":"Dragos EKANS February 2020","description":"Dragos Threat Intelligence. (2020, February 03). EKANS Ransomware and ICS Operations. Retrieved April 12, 2021.","url":"https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/"},{"source_name":"FireEye OT Ransomware July 2020","description":"Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved April 12, 2021.","url":"https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html"},{"source_name":"Pylos January 2020","description":"Joe Slowik. (2020, January 28). Getting the Story Right, and Why It Matters. Retrieved April 12, 2021.","url":"https://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/"},{"source_name":"Dragos EKANS June 2020","description":"Joe Slowik. (2020, June 18). EKANS Ransomware Misconceptions and Misunderstandings. Retrieved April 12, 2021.","url":"https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/#_edn7"}],"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","id":"malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f","name":"EKANS","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":true},{"modified":"2023-08-09T18:11:35.634Z","name":"Ryuk","description":"[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"1.4","x_mitre_contributors":["The DFIR Report, @TheDFIRReport","Matt Brenton, Zurich Insurance Group"],"x_mitre_aliases":["Ryuk"],"type":"malware","id":"malware--a020a61c-423f-4195-8c46-ba1d21abba37","created":"2020-05-13T20:14:53.171Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0446","external_id":"S0446"},{"source_name":"Ryuk","description":"(Citation: CrowdStrike Ryuk January 2019) (Citation: Bleeping Computer - Ryuk WoL) "},{"source_name":"Bleeping Computer - Ryuk WoL","description":"Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.","url":"https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/"},{"source_name":"FireEye Ryuk and Trickbot January 2019","description":"Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.","url":"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"},{"source_name":"CrowdStrike Ryuk January 2019","description":"Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.","url":"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"},{"source_name":"FireEye FIN6 Apr 2019","description":"McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.","url":"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-12T17:15:44.068Z","name":"ACAD/Medre.A","description":"[ACAD/Medre.A](https://attack.mitre.org/software/S1000) is a worm that steals operational information. The worm collects AutoCAD files with drawings. [ACAD/Medre.A](https://attack.mitre.org/software/S1000) has the capability to be used for industrial espionage.(Citation: ESET)","x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["ACAD/Medre.A"],"type":"malware","id":"malware--a4a98eab-b691-45d9-8c48-869ef8fefd57","created":"2017-05-31T21:32:59.661Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1000","external_id":"S1000"},{"source_name":"ESET","description":"ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ","url":"https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-11T00:15:32.724Z","name":"REvil","description":"[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"2.2","x_mitre_contributors":["Edward Millington"],"x_mitre_aliases":["REvil","Sodin","Sodinokibi"],"type":"malware","id":"malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5","created":"2020-08-04T15:06:14.796Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0496","external_id":"S0496"},{"source_name":"Sodin","description":"(Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019)"},{"source_name":"Sodinokibi","description":"(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020)"},{"source_name":"Talos Sodinokibi April 2019","description":"Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.","url":"https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html"},{"source_name":"Secureworks REvil September 2019","description":"Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.","url":"https://www.secureworks.com/research/revil-sodinokibi-ransomware"},{"source_name":"Cylance Sodinokibi July 2019","description":"Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.","url":"https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html"},{"source_name":"Group IB Ransomware May 2020","description":"Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.","url":"https://www.group-ib.com/whitepapers/ransomware-uncovered.html"},{"source_name":"G Data Sodinokibi June 2019","description":"Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.","url":"https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data"},{"source_name":"Intel 471 REvil March 2020","description":"Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.","url":"https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/"},{"source_name":"Kaspersky Sodin July 2019","description":"Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.","url":"https://securelist.com/sodin-ransomware/91473/"},{"source_name":"McAfee Sodinokibi October 2019","description":"McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"},{"source_name":"Picus Sodinokibi January 2020","description":"Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.","url":"https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware"},{"source_name":"McAfee REvil October 2019","description":"Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/"},{"source_name":"Secureworks GandCrab and REvil September 2019","description":"Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.","url":"https://www.secureworks.com/blog/revil-the-gandcrab-connection"},{"source_name":"Tetra Defense Sodinokibi March 2020","description":"Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.","url":"https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-17T16:23:24.812Z","name":"INCONTROLLER","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. [INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed [INCONTROLLER](https://attack.mitre.org/software/S1045) was developed by CHERNOVITE.(Citation: CISA-AA22-103A)(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Schneider-Incontroller)(Citation: Wylie-22) ","x_mitre_platforms":["Field Controller/RTU/PLC/IED","Safety Instrumented System/Protection Relay","Engineering Workstation","Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Jimmy Wylie, Dragos, Inc."],"x_mitre_aliases":["INCONTROLLER","PIPEDREAM"],"type":"malware","id":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","created":"2022-09-28T20:07:40.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1045","external_id":"S1045"},{"source_name":"PIPEDREAM","description":"(Citation: Dragos-Pipedream)(Citation: Wylie-22)"},{"source_name":"CISA-AA22-103A","description":"DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.","url":"https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"},{"source_name":"Dragos-Pipedream","description":"DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.","url":"https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en"},{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"},{"source_name":"Brubaker-Incontroller","description":"Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.","url":"https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"},{"source_name":"Schneider-Incontroller","description":"Schneider Electric. (2022, April 14). Schneider Electric Security Bulletin: “APT Cyber Tools Targeting ICS/SCADA Devices” . Retrieved September 28, 2022.","url":"https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2022-01"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-06T14:09:52.833Z","name":"KillDisk","description":"[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)","x_mitre_platforms":["Linux","Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"1.2","x_mitre_aliases":["KillDisk","Win32/KillDisk.NBI","Win32/KillDisk.NBH","Win32/KillDisk.NBD","Win32/KillDisk.NBC","Win32/KillDisk.NBB"],"type":"malware","id":"malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6","created":"2021-01-20T18:05:07.059Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0607","external_id":"S0607"},{"source_name":"KillDisk Ransomware","description":"Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.","url":"https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/"},{"source_name":"ESEST Black Energy Jan 2016","description":"Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.","url":"http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"},{"source_name":"Trend Micro KillDisk 1","description":"Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.","url":"https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html"},{"source_name":"Trend Micro KillDisk 2","description":"Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.","url":"https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-11T16:06:34.700Z","name":"Industroyer","description":"[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"1.1","x_mitre_contributors":["Dragos Threat Intelligence","Joe Slowik - Dragos"],"x_mitre_aliases":["Industroyer","CRASHOVERRIDE","Win32/Industroyer"],"type":"malware","id":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","created":"2021-01-04T20:42:21.997Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0604","external_id":"S0604"},{"source_name":"CRASHOVERRIDE","description":"(Citation: Dragos Crashoverride 2017)"},{"source_name":"Win32/Industroyer","description":"(Citation: ESET Industroyer)"},{"source_name":"ESET Industroyer","description":"Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"},{"source_name":"Dragos Crashoverride 2017","description":"Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.","url":"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"},{"source_name":"Dragos Crashoverride 2018","description":"Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.","url":"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-12T17:51:18.408Z","name":"Flame","description":"[Flame](https://attack.mitre.org/software/S0143) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"1.1","x_mitre_aliases":["Flame","Flamer","sKyWIper"],"type":"malware","id":"malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498","created":"2017-05-31T21:33:21.973Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0143","external_id":"S0143"},{"source_name":"Flame","description":"(Citation: Kaspersky Flame)"},{"source_name":"sKyWIper","description":"(Citation: Kaspersky Flame) (Citation: Crysys Skywiper)"},{"source_name":"Flamer","description":"(Citation: Kaspersky Flame) (Citation: Symantec Beetlejuice)"},{"source_name":"Kaspersky Flame","description":"Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.","url":"https://securelist.com/the-flame-questions-and-answers-51/34344/"},{"source_name":"Crysys Skywiper","description":"sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.","url":"https://www.crysys.hu/publications/files/skywiper.pdf"},{"source_name":"Symantec Beetlejuice","description":"Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017.","url":"https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-08T22:12:52.701Z","name":"Inhibit Response Function","description":"The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.\n\nInhibit Response Function consists of techniques that adversaries use to hinder the safeguards put in place for processes and products. This may involve the inhibition of safety, protection, quality assurance, or operator intervention functions to disrupt safeguards that aim to prevent the loss of life, destruction of equipment, and disruption of production. These techniques aim to actively deter and prevent expected alarms and responses that arise due to statuses in the ICS environment. Adversaries may modify or update system logic, or even outright prevent responses with a denial-of-service. They may result in the prevention, destruction, manipulation, or modification of programs, logic, devices, and communications. As prevention functions are generally dormant, reporting and processing functions can appear fine, but may have been altered to prevent failure responses in dangerous scenarios. Unlike [Evasion](https://attack.mitre.org/tactics/TA0103), Inhibit Response Function techniques may be more intrusive, such as actively preventing responses to a known dangerous scenario. Adversaries may use these techniques to follow through with or provide cover for [Impact](https://attack.mitre.org/tactics/TA0105) techniques.","x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_shortname":"inhibit-response-function","type":"x-mitre-tactic","id":"x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0107","external_id":"TA0107"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-09-29T21:38:48.906Z","name":"Privilege Escalation","description":"The adversary is trying to gain higher-level permissions.\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.","x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_shortname":"privilege-escalation","type":"x-mitre-tactic","id":"x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046","created":"2021-04-10T17:32:33.899Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0111","external_id":"TA0111"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-08T22:09:46.867Z","name":"Lateral Movement","description":"The adversary is trying to move through your ICS environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. These techniques abuse default credentials, known accounts, and vulnerable services, and may also leverage dual-homed devices and systems that reside on both the IT and OT networks. The adversary uses these techniques to pivot to their next point in the environment, positioning themselves to where they want to be or think they should be. Following through on their primary objective often requires [Discovery](https://attack.mitre.org/tactics/TA0102) of the network and [Collection](https://attack.mitre.org/tactics/TA0100) to develop awareness of unique ICS devices and processes, in order to find their target and subsequently gain access to it. Reaching this objective often involves pivoting through multiple systems, devices, and accounts. Adversaries may install their own remote tools to accomplish Lateral Movement or leverage default tools, programs, and manufacturer set or other legitimate credentials native to the network, which may be stealthier.","x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_shortname":"lateral-movement","type":"x-mitre-tactic","id":"x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0109","external_id":"TA0109"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-09T18:38:51.471Z","name":"Discovery","description":"The adversary is locating information to assess and identify their targets in your environment.\n\nDiscovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_shortname":"discovery","type":"x-mitre-tactic","id":"x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0102","external_id":"TA0102"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-03-09T18:38:51.471Z","name":"Initial Access","description":"The adversary is trying to get into your ICS environment.\n\nInitial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations.","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_shortname":"initial-access","type":"x-mitre-tactic","id":"x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0108","external_id":"TA0108"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-03-08T22:22:09.571Z","name":"Impact","description":"The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.\n\nImpact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques, which often manifest in more self-revealing impacts on operations, or [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversary’s goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.\n\n[Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828), [Theft of Operational Information](https://attack.mitre.org/techniques/T0882), and [Damage to Property](https://attack.mitre.org/techniques/T0879) are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.","x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_shortname":"impact","type":"x-mitre-tactic","id":"x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279","created":"2019-03-14T18:44:44.639Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0105","external_id":"TA0105"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-09T18:38:51.471Z","name":"Persistence","description":"The adversary is trying to maintain their foothold in your ICS environment.\n\nPersistence consists of techniques that adversaries use to maintain access to ICS systems and devices across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that allow them to secure their ongoing activity and keep their foothold on systems. This may include replacing or hijacking legitimate code, firmware, and other project files, or adding startup code and downloading programs onto devices.","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_shortname":"persistence","type":"x-mitre-tactic","id":"x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0110","external_id":"TA0110"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-03-08T22:19:16.160Z","name":"Execution","description":"The adversary is trying to run code or manipulate system functions, parameters, and data in an unauthorized way.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network [Discovery](https://attack.mitre.org/tactics/TA0102) and [Collection](https://attack.mitre.org/tactics/TA0100), impact operations, and inhibit response functions.","x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_shortname":"execution","type":"x-mitre-tactic","id":"x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0104","external_id":"TA0104"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-09T18:38:51.471Z","name":"Command and Control","description":"The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment.\n\nCommand and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victim’s network structure and defenses.","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_shortname":"command-and-control","type":"x-mitre-tactic","id":"x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0101","external_id":"TA0101"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-03-08T22:18:50.880Z","name":"Collection","description":"The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal.\n\nCollection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of [Discovery](https://attack.mitre.org/tactics/TA0102), to compile data on control systems and targets of interest that may be used to follow through on the adversary’s objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other references may also be at risk and exposed on the internet or otherwise publicly accessible.","x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_shortname":"collection","type":"x-mitre-tactic","id":"x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0100","external_id":"TA0100"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-09T18:38:51.471Z","name":"Evasion","description":"The adversary is trying to avoid security defenses.\n\nEvasion consists of techniques that adversaries use to avoid technical defenses throughout their campaign. Techniques used for evasion include removal of indicators of compromise, spoofing communications, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense evasion for this purpose are often more passive in nature.","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_shortname":"evasion","type":"x-mitre-tactic","id":"x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0103","external_id":"TA0103"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-03-08T22:15:17.020Z","name":"Impair Process Control","description":"The adversary is trying to manipulate, disable, or damage physical control processes.\n\nImpair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use [Inhibit Response Function](https://attack.mitre.org/tactics/TA0107) techniques in tandem, to assist with the successful abuse of control processes to result in [Impact](https://attack.mitre.org/tactics/TA0105).","x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_shortname":"impair-process-control","type":"x-mitre-tactic","id":"x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0106","external_id":"TA0106"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-13T17:56:58.380Z","name":"Block Command Message","description":"Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"3.2.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Process: Process Termination","Operational Databases: Process History/Live Data","Application Log: Application Log Content","Network Traffic: Network Traffic Flow","Operational Databases: Process/Event Alarm"],"type":"attack-pattern","id":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0803","external_id":"T0803"},{"source_name":"Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011","description":"Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ","url":"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"},{"source_name":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ","url":"https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:56:58.586Z","name":"Service Stop","description":"Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"3.2.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["File: File Modification","Command: Command Execution","Process: OS API Execution","Process: Process Termination","Service: Service Metadata","Windows Registry: Windows Registry Key Modification","Process: Process Creation"],"type":"attack-pattern","id":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0881","external_id":"T0881"},{"source_name":"Enterprise ATT&CK","description":"Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ","url":"https://attack.mitre.org/techniques/T1489/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:56:58.786Z","name":"Modify Parameter","description":"Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. \n\nAn adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impair-process-control"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.3","x_mitre_data_sources":["Asset: Asset Inventory","Application Log: Application Log Content","Operational Databases: Device Alarm","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0836","external_id":"T0836"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:56:58.991Z","name":"Modify Controller Tasking","description":"Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. \n\nAccording to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.\n\nTasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"execution"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.2","x_mitre_data_sources":["Application Log: Application Log Content","Operational Databases: Device Alarm","Asset: Software"],"type":"attack-pattern","id":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","created":"2021-04-13T11:15:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0821","external_id":"T0821"},{"source_name":"IEC February 2013","description":"IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ","url":"https://webstore.iec.ch/publication/4552"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:56:59.193Z","name":"Wireless Sniffing","description":"Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. \n\nAdversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) \n\nIn the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"discovery"},{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_contributors":["ICSCoE Japan"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Network Traffic: Network Traffic Flow"],"type":"attack-pattern","id":"attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0887","external_id":"T0887"},{"source_name":"Bastille April 2017","description":"Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ","url":"https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack"},{"source_name":"Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018","description":"Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. 2018, April Guide to Industrial Wireless Systems Deployments Retrieved. 2020/12/01 ","url":"https://nvlpubs.nist.gov/nistpubs/ams/NIST.AMS.300-4.pdf"},{"source_name":"Gallagher, S. April 2017","description":"Gallagher, S. 2017, April 12 Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack Retrieved. 2020/12/01 ","url":"https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:56:59.396Z","name":"Loss of View","description":"Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impact"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0829","external_id":"T0829"},{"source_name":"Corero","description":"Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ","url":"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"},{"source_name":"Michael J. Assante and Robert M. Lee","description":"Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"},{"source_name":"Tyson Macaulay","description":"Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ","url":"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:56:59.593Z","name":"Activate Firmware Update Mode","description":"Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_contributors":["Joe Slowik - Dragos"],"x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Network Traffic: Network Traffic Content","Operational Databases: Device Alarm","Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0800","external_id":"T0800"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:56:59.793Z","name":"Manipulation of Control","description":"Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle \n* Spoof command message \n* Changing setpoints \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impact"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0831","external_id":"T0831"},{"source_name":"Bruce Schneier January 2008","description":"Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ","url":"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html"},{"source_name":"John Bill May 2017","description":"John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ","url":"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/"},{"source_name":"Shelley Smith February 2008","description":"Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ","url":"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2024-10-14T19:00:55.006Z","name":"Denial of Service","description":"Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. \n\nSome ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) \n\nAdversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. \n\nAdversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) ","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Network Traffic: Network Traffic Content","Network Traffic: Network Traffic Flow","Application Log: Application Log Content","Operational Databases: Process History/Live Data"],"type":"attack-pattern","id":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0814","external_id":"T0814"},{"source_name":"Common Weakness Enumeration January 2019","description":"Common Weakness Enumeration 2019, January 03 CWE-400: Uncontrolled Resource Consumption Retrieved. 2019/03/14 ","url":"http://cwe.mitre.org/data/definitions/400.html"},{"source_name":"ICS-CERT April 2017","description":"ICS-CERT 2017, April 18 CS Alert (ICS-ALERT-17-102-01A) BrickerBot Permanent Denial-of-Service Attack Retrieved. 2019/10/24 ","url":"https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A"},{"source_name":"ICS-CERT August 2018","description":"ICS-CERT 2018, August 27 Advisory (ICSA-15-202-01) - Siemens SIPROTEC Denial-of-Service Vulnerability Retrieved. 2019/03/14 ","url":"https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01"},{"source_name":"MITRE March 2018","description":"MITRE 2018, March 22 CVE-2015-5374 Retrieved. 2019/03/14 ","url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5374"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-13T17:57:00.184Z","name":"Block Serial COM","description":"Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Operational Databases: Process/Event Alarm","Network Traffic: Network Traffic Flow","Operational Databases: Process History/Live Data","Application Log: Application Log Content","Process: Process Termination"],"type":"attack-pattern","id":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0805","external_id":"T0805"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2024-04-08T18:57:58.010Z","name":"System Binary Proxy Execution","description":"Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. (Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands. (Citation: split man page)(Citation: GTFO split)\n\nAdversaries may abuse application binaries installed on a system for proxy execution of malicious code or domain-specific commands. These commands could be used to target local resources on the device or networked devices within the environment through defined APIs ([Execution through API](https://attack.mitre.org/techniques/T0871)) or application-specific programming languages (e.g., MicroSCADA SCIL). Application binaries may be signed by the developer or generally trusted by the operators, analysts, and monitoring tools accustomed to the environment. These applications may be developed and/or directly provided by the device vendor to enable configuration, management, and operation of their devices without many alternatives. \n\nAdversaries may seek to target these trusted application binaries to execute or send commands without the development of custom malware. For example, adversaries may target a SCADA server binary which has the existing ability to send commands to substation devices, such as through IEC 104 command messages. Proxy execution may still require the development of custom tools to hook into the application binary’s execution.\n\n","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Script: Script Execution","Command: Command Execution","Process: Process Creation"],"type":"attack-pattern","id":"attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91","created":"2024-03-25T20:16:15.016Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0894","external_id":"T0894"},{"source_name":"GTFO split","description":"GTFOBins. (2020, November 13). split. Retrieved April 18, 2022.","url":"https://gtfobins.github.io/gtfobins/split/"},{"source_name":"LOLBAS Project","description":"Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.","url":"https://github.com/LOLBAS-Project/LOLBAS#criteria"},{"source_name":"split man page","description":"Torbjorn Granlund, Richard M. Stallman. (2020, March null). split(1) — Linux manual page. Retrieved March 25, 2022.","url":"https://man7.org/linux/man-pages/man1/split.1.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-05-08T20:13:24.241Z","name":"Role Identification","description":"Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.\n\nFor example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary's decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":true,"x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Windows","Human-Machine Interface","Control Server","Data Historian","Field Controller/RTU/PLC/IED"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-ics-attack","url":"https://attack.mitre.org/techniques/T0850","external_id":"T0850"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:00.378Z","name":"Command-Line Interface","description":"Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.\n\nCLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"execution"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Command: Command Execution","Application Log: Application Log Content","Process: Process Creation"],"type":"attack-pattern","id":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0807","external_id":"T0807"},{"source_name":"Enterprise ATT&CK January 2018","description":"Enterprise ATT&CK 2018, January 11 Command-Line Interface Retrieved. 2018/05/17 ","url":"https://attack.mitre.org/wiki/Technique/T1059"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:00.575Z","name":"Point & Tag Identification","description":"Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience. \n\nCollecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_contributors":["Jos Wetzels - Midnight Blue"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Network Traffic: Network Traffic Content","Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0861","external_id":"T0861"},{"source_name":"Dennis L. Sloatman September 2016","description":"Dennis L. Sloatman 2016, September 16 Understanding PLC Programming Methods and the Tag Database System Retrieved. 2017/12/19 ","url":"https://www.radioworld.com/industry/understanding-plc-programming-methods-and-the-tag-database-system"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:00.768Z","name":"Device Restart/Shutdown","description":"Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.\n\nUnexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states.\n\nA device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Network Traffic: Network Traffic Flow","Application Log: Application Log Content","Operational Databases: Device Alarm","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0816","external_id":"T0816"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:00.969Z","name":"User Execution","description":"Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. \n\nAdversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"execution"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Command: Command Execution","Application Log: Application Log Content","Network Traffic: Network Connection Creation","File: File Access","Process: Process Creation","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0863","external_id":"T0863"},{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"},{"source_name":"Daavid Hentunen, Antti Tikkanen June 2014","description":"Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ","url":"https://www.f-secure.com/weblog/archives/00002718.html"},{"source_name":"CISA AA21-201A Pipeline Intrusion July 2021","description":"Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ","url":"https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:01.165Z","name":"Wireless Compromise","description":"Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. \n\nA Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_contributors":["Scott Dougherty"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.2","x_mitre_data_sources":["Logon Session: Logon Session Creation","Application Log: Application Log Content","Network Traffic: Network Traffic Flow"],"type":"attack-pattern","id":"attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0860","external_id":"T0860"},{"source_name":"Alexander Bolshev March 2014","description":"Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved. 2020/01/05 ","url":"https://www.slideshare.net/dgpeters/17-bolshev-1-13"},{"source_name":"Alexander Bolshev, Gleb Cherbov July 2014","description":"Alexander Bolshev, Gleb Cherbov 2014, July 08 ICSCorsair: How I will PWN your ERP through 4-20 mA current loop Retrieved. 2020/01/05 ","url":"https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf"},{"source_name":"Bruce Schneier January 2008","description":"Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ","url":"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html"},{"source_name":"John Bill May 2017","description":"John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ","url":"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/"},{"source_name":"Shelley Smith February 2008","description":"Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ","url":"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:01.367Z","name":"Change Operating Mode","description":"Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"execution"},{"kill_chain_name":"mitre-ics-attack","phase_name":"evasion"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Network Traffic: Network Traffic Content","Application Log: Application Log Content","Operational Databases: Device Alarm"],"type":"attack-pattern","id":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0858","external_id":"T0858"},{"source_name":"Machine Information Systems 2007","description":"Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ","url":"http://www.machine-information-systems.com/How_PLCs_Work.html"},{"source_name":"N.A. October 2017","description":"N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ","url":"https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489"},{"source_name":"Omron","description":"Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ","url":"https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified."},{"source_name":"PLCgurus 2021","description":"PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ","url":"https://www.plcgurus.net/plc-basics/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:01.578Z","name":"Alarm Suppression","description":"Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.\n\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question: \n\n* An alarm raised by a protocol message \n* An alarm signaled with I/O \n* An alarm bit set in a flag (and read) \n\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_contributors":["Marina Krotofil","Jos Wetzels - Midnight Blue"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.2","x_mitre_data_sources":["Network Traffic: Network Traffic Flow","Operational Databases: Process History/Live Data","Operational Databases: Device Alarm","Operational Databases: Process/Event Alarm"],"type":"attack-pattern","id":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0878","external_id":"T0878"},{"source_name":"Jos Wetzels, Marina Krotofil 2019","description":"Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ","url":"https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:01.778Z","name":"Detect Operating Mode","description":"Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0868","external_id":"T0868"},{"source_name":"Machine Information Systems 2007","description":"Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ","url":"http://www.machine-information-systems.com/How_PLCs_Work.html"},{"source_name":"N.A. October 2017","description":"N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ","url":"https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489"},{"source_name":"Omron","description":"Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ","url":"https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified."},{"source_name":"PLCgurus 2021","description":"PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ","url":"https://www.plcgurus.net/plc-basics/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:01.994Z","name":"Loss of Protection","description":"Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. \n\nMany faults and abnormal conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impact"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163","created":"2021-04-12T07:57:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0837","external_id":"T0837"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:02.197Z","name":"Monitor Process State","description":"Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Network Traffic: Network Traffic Content","Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0801","external_id":"T0801"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:02.398Z","name":"Scripting","description":"Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. \n\nIn addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"execution"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Command: Command Execution","Process: Process Creation","Process: Process Metadata","Module: Module Load","Script: Script Execution"],"type":"attack-pattern","id":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0853","external_id":"T0853"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:02.595Z","name":"Remote System Information Discovery","description":"An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. \n\nRequests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system's API.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"discovery"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Network Traffic: Network Traffic Flow","Network Traffic: Network Traffic Content","File: File Access","Process: Process Creation"],"type":"attack-pattern","id":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","created":"2021-04-13T12:45:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0888","external_id":"T0888"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:02.785Z","name":"Program Upload","description":"Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Network Traffic: Network Traffic Content","Network Traffic: Network Traffic Flow","Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0845","external_id":"T0845"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:02.990Z","name":"Exploit Public-Facing Application","description":"Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.\n\nAn adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Application Log: Application Log Content","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0819","external_id":"T0819"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:03.187Z","name":"Data from Information Repositories","description":"Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)\n\nInformation collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.\n\nIn a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.2","x_mitre_data_sources":["Logon Session: Logon Session Creation","Network Share: Network Share Access","Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0811","external_id":"T0811"},{"source_name":"Cybersecurity & Infrastructure Security Agency March 2018","description":"Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ","url":"https://us-cert.cisa.gov/ncas/alerts/TA18-074A"},{"source_name":"CISA AA21-201A Pipeline Intrusion July 2021","description":"Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ","url":"https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:03.395Z","name":"Transient Cyber Asset","description":"Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. \n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices. \n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems. ","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"}],"x_mitre_attack_spec_version":"3.2.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.2","x_mitre_data_sources":["Network Traffic: Network Traffic Flow","Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9","created":"2021-10-14T15:25:32.143Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0864","external_id":"T0864"},{"source_name":"North American Electric Reliability Corporation June 2021","description":"North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ","url":"https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:03.589Z","name":"Manipulate I/O Image","description":"Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. \n\nOne of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Asset: Software"],"type":"attack-pattern","id":"attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0835","external_id":"T0835"},{"source_name":"Dr. Kelvin T. Erickson December 2010","description":"Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 ","url":"https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/"},{"source_name":"Nanjundaiah, Vaidyanath","description":"Nanjundaiah, Vaidyanath Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 PLC Ladder Logic Basics Retrieved. 2021/10/11 ","url":"https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:03.783Z","name":"Network Sniffing","description":"Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information. \n\nAn adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. \n\nIn addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"discovery"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Process: Process Creation","Command: Command Execution"],"type":"attack-pattern","id":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0842","external_id":"T0842"},{"source_name":"Enterprise ATT&CK January 2018","description":"Enterprise ATT&CK 2018, January 11 Network Sniffing Retrieved. 2018/05/17 ","url":"https://attack.mitre.org/wiki/Technique/T1040"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:03.989Z","name":"Rootkit","description":"Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) \n\nFirmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for the I/O that is attached to an asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"evasion"},{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Firmware: Firmware Modification"],"type":"attack-pattern","id":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0851","external_id":"T0851"},{"source_name":"Enterprise ATT&CK January 2018","description":"Enterprise ATT&CK 2018, January 11 Rootkit Retrieved. 2018/05/16 ","url":"https://attack.mitre.org/wiki/Technique/T1014"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2024-04-05T16:34:58.587Z","name":"Automated Collection","description":"Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Script: Script Execution","Command: Command Execution","File: File Access","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0802","external_id":"T0802"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-13T17:57:04.376Z","name":"Block Reporting Message","description":"Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Operational Databases: Process/Event Alarm","Process: Process Termination","Application Log: Application Log Content","Network Traffic: Network Traffic Flow","Operational Databases: Process History/Live Data"],"type":"attack-pattern","id":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0804","external_id":"T0804"},{"source_name":"Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011","description":"Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ","url":"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"},{"source_name":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ","url":"https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:04.582Z","name":"Unauthorized Command Message","description":"Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impair-process-control"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.2","x_mitre_data_sources":["Operational Databases: Process History/Live Data","Application Log: Application Log Content","Network Traffic: Network Traffic Flow","Operational Databases: Process/Event Alarm","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0855","external_id":"T0855"},{"source_name":"Benjamin Freed March 2019","description":"Benjamin Freed 2019, March 13 Tornado sirens in Dallas suburbs deactivated after being hacked and set off Retrieved. 2020/11/06 ","url":"https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/"},{"source_name":"Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011","description":"Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ","url":"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"},{"source_name":"Zack Whittaker April 2017","description":"Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ","url":"https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:04.784Z","name":"Data Destruction","description":"Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_contributors":["Matan Dobrushin - Otorio"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["File: File Modification","Process: Process Creation","File: File Deletion","Command: Command Execution"],"type":"attack-pattern","id":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0809","external_id":"T0809"},{"source_name":"Enterprise ATT&CK January 2018","description":"Enterprise ATT&CK 2018, January 11 File Deletion Retrieved. 2018/05/17 ","url":"https://attack.mitre.org/wiki/Technique/T1107"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:04.993Z","name":"Manipulation of View","description":"Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nOperators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impact"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0832","external_id":"T0832"},{"source_name":"Corero","description":"Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ","url":"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"},{"source_name":"Michael J. Assante and Robert M. Lee","description":"Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"},{"source_name":"Tyson Macaulay","description":"Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ","url":"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-05-08T20:13:24.241Z","name":"Data Historian Compromise","description":"Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. \n\nDragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution. (Citation: Industroyer - Dragos - 201810) The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be \"expected to have extensive connections\" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.\n\nPermissions Required: Administrator\n\nContributors: Joe Slowik - Dragos","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_contributors":["Joe Slowik - Dragos"],"x_mitre_deprecated":true,"x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Windows"],"x_mitre_version":"1.0","x_mitre_permissions_required":["Administrator"],"type":"attack-pattern","id":"attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-ics-attack","url":"https://attack.mitre.org/techniques/T0810","external_id":"T0810"},{"source_name":"Industroyer - Dragos - 201810","description":"Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.","url":"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-05-08T20:13:24.241Z","name":"Network Service Scanning","description":"Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml specific port numbers], the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is [https://nmap.org/ Nmap].\n\nAn adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to .\n\nScanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"discovery"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":true,"x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Windows","Field Controller/RTU/PLC/IED"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-ics-attack","url":"https://attack.mitre.org/techniques/T0841","external_id":"T0841"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:05.190Z","name":"Indicator Removal on Host","description":"Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"evasion"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Command: Command Execution","Process: OS API Execution","Windows Registry: Windows Registry Key Modification","File: File Metadata","Windows Registry: Windows Registry Key Deletion","File: File Deletion","File: File Modification","Process: Process Creation"],"type":"attack-pattern","id":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0872","external_id":"T0872"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:05.375Z","name":"I/O Image","description":"Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.\n\nThe Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) \n\nAdversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Asset: Software"],"type":"attack-pattern","id":"attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0877","external_id":"T0877"},{"source_name":"Nanjundaiah, Vaidyanath","description":"Nanjundaiah, Vaidyanath PLC Ladder Logic Basics Retrieved. 2021/10/11 ","url":"https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm"},{"source_name":"Spenneberg, Ralf 2016","description":"Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ","url":"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:05.576Z","name":"Denial of View","description":"Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAn adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. ","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impact"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","type":"attack-pattern","id":"attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0815","external_id":"T0815"},{"source_name":"Corero","description":"Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ","url":"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"},{"source_name":"Michael J. Assante and Robert M. Lee","description":"Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"},{"source_name":"Tyson Macaulay","description":"Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ","url":"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:05.776Z","name":"Execution through API","description":"Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"execution"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Process: OS API Execution"],"type":"attack-pattern","id":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0871","external_id":"T0871"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:05.975Z","name":"Supply Chain Compromise","description":"Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. \n\nSupply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. \n\nCounterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. (Citation: Control Global May 2019) \n\nYokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. (Citation: Control Global May 2019) \n\nF-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["File: File Metadata"],"type":"attack-pattern","id":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0862","external_id":"T0862"},{"source_name":"Control Global May 2019","description":"Control Global 2019, May 29 Yokogawa announcement warns of counterfeit transmitters Retrieved. 2021/04/09 ","url":"https://www.controlglobal.com/industrynews/2019/yokogawa-announcement-warns-of-counterfeit-transmitters/"},{"source_name":"Daavid Hentunen, Antti Tikkanen June 2014","description":"Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ","url":"https://www.f-secure.com/weblog/archives/00002718.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-05-08T20:13:24.241Z","name":"Serial Connection Enumeration","description":"Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.\n\nWhile IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"discovery"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":true,"x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Windows","Input/Output Server","Field Controller/RTU/PLC/IED"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-ics-attack","url":"https://attack.mitre.org/techniques/T0854","external_id":"T0854"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:06.171Z","name":"Loss of Safety","description":"Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. \n\nMany unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impact"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0880","external_id":"T0880"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:06.362Z","name":"Loss of Productivity and Revenue","description":"Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. \n\nIn cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences. \n\nA ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. (Citation: Paganini, Pierluigi June 2020) The company announced the potential for temporary shortages of their products following the attack. (Citation: Paganini, Pierluigi June 2020) (Citation: Lion Corporation June 2020) \n\nIn the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. (Citation: Colonial Pipeline Company May 2021)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impact"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0828","external_id":"T0828"},{"source_name":"Colonial Pipeline Company May 2021","description":"Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08 ","url":"https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption"},{"source_name":"Lion Corporation June 2020","description":"Lion Corporation 2020, June 26 Lion Cyber incident update: 26 June 2020 Retrieved. 2021/10/08 ","url":"https://lionco.com/2020/06/26/lion-update-re-cyber-issue/"},{"source_name":"Paganini, Pierluigi June 2020","description":"Paganini, Pierluigi 2020, June 14 Ransomware attack disrupts operations at Australian beverage company Lion Retrieved. 2021/10/08 ","url":"https://securityaffairs.co/wordpress/104749/cyber-crime/ransomware-attack-hit-lion.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:06.577Z","name":"Spearphishing Attachment","description":"Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Process: Process Creation","File: File Creation","Network Traffic: Network Traffic Content","Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0865","external_id":"T0865"},{"source_name":"CISA AA21-201A Pipeline Intrusion July 2021","description":"Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ","url":"https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"},{"source_name":"Enterprise ATT&CK October 2019","description":"Enterprise ATT&CK 2019, October 25 Spearphishing Attachment Retrieved. 2019/10/25 ","url":"https://attack.mitre.org/techniques/T1193/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-05-08T20:13:24.241Z","name":"Location Identification","description":"Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries (Citation: Guidance - NIST SP800-82). While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. \n\nAn adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":true,"x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Windows","Control Server"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-ics-attack","url":"https://attack.mitre.org/techniques/T0825","external_id":"T0825"},{"source_name":"Guidance - NIST SP800-82","description":"Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2024-04-08T18:54:40.925Z","name":"Autorun Image","description":"Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor. \n\nAn example could include an adversary gaining access to a hypervisor through the management interface to modify a virtual machine’s hardware configuration. They could then deploy an iso image with a malicious AutoRun script to cause the virtual machine to automatically execute the code contained on the disk image. This would enable the execution of malicious code within a virtual machine without needing any prior remote access to that system.\n","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"execution"}],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_version":"1.0","x_mitre_data_sources":["Drive: Drive Creation","Process: Process Creation"],"type":"attack-pattern","id":"attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d","created":"2024-03-26T15:39:19.473Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0895","external_id":"T0895"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-13T17:57:06.780Z","name":"Drive-by Compromise","description":"Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. \n\nThe adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. \n\nThe National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Network Traffic: Network Traffic Content","Application Log: Application Log Content","Process: Process Creation","File: File Creation","Network Traffic: Network Connection Creation"],"type":"attack-pattern","id":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0817","external_id":"T0817"},{"source_name":"Cybersecurity & Infrastructure Security Agency March 2018","description":"Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ","url":"https://us-cert.cisa.gov/ncas/alerts/TA18-074A"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:06.993Z","name":"Damage to Property","description":"Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). \n\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impact"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","type":"attack-pattern","id":"attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0879","external_id":"T0879"},{"source_name":"Bruce Schneier January 2008","description":"Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ","url":"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html"},{"source_name":"BSI State of IT Security 2014","description":"Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ","url":"https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3"},{"source_name":"John Bill May 2017","description":"John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ","url":"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/"},{"source_name":"Shelley Smith February 2008","description":"Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ","url":"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:07.260Z","name":"Spoof Reporting Message","description":"Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"evasion"},{"kill_chain_name":"mitre-ics-attack","phase_name":"impair-process-control"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.2","x_mitre_data_sources":["Network Traffic: Network Traffic Flow","Operational Databases: Device Alarm","Windows Registry: Windows Registry Key Modification","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0856","external_id":"T0856"},{"source_name":"Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011","description":"Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ","url":"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:07.457Z","name":"Exploitation of Remote Services","description":"Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)\n\nICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"},{"kill_chain_name":"mitre-ics-attack","phase_name":"lateral-movement"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Application Log: Application Log Content","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0866","external_id":"T0866"},{"source_name":"Enterprise ATT&CK","description":"Enterprise ATT&CK Exploitation of Remote Services Retrieved. 2019/10/27 ","url":"https://attack.mitre.org/techniques/T1210/"},{"source_name":"Joe Slowik April 2019","description":"Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ","url":"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:07.653Z","name":"Default Credentials","description":"Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"lateral-movement"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Network Traffic: Network Traffic Content","Logon Session: Logon Session Creation"],"type":"attack-pattern","id":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0812","external_id":"T0812"},{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:07.840Z","name":"External Remote Services","description":"Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)\n\nExternal remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. \n\nAs they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Network Traffic: Network Traffic Flow","Logon Session: Logon Session Metadata","Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0822","external_id":"T0822"},{"source_name":"Daniel Oakley, Travis Smith, Tripwire","description":"Daniel Oakley, Travis Smith, Tripwire Retrieved. 2018/05/30 ","url":"https://attack.mitre.org/wiki/Technique/T1133"},{"source_name":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ","url":"https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:08.037Z","name":"Brute Force I/O","description":"Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. \n\nAdversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impair-process-control"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Operational Databases: Process History/Live Data","Application Log: Application Log Content","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0806","external_id":"T0806"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-05-08T20:13:24.241Z","name":"Detect Program State","description":"Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":true,"x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Windows","Field Controller/RTU/PLC/IED"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-ics-attack","url":"https://attack.mitre.org/techniques/T0870","external_id":"T0870"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:08.233Z","name":"Adversary-in-the-Middle","description":"Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAn AiTM attack may allow an adversary to perform the following attacks: \n[Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_contributors":["Conrad Layne - GE Digital"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"2.0","x_mitre_data_sources":["Windows Registry: Windows Registry Key Modification","Process: Process Creation","Network Traffic: Network Traffic Flow","Service: Service Creation","Network Traffic: Network Traffic Content","Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0830","external_id":"T0830"},{"source_name":"Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011","description":"Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ","url":"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"},{"source_name":"Gabriel Sanchez October 2017","description":"Gabriel Sanchez 2017, October Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark Retrieved. 2020/01/05 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:08.425Z","name":"Exploitation for Evasion","description":"Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. \n\nAdversaries may have prior knowledge through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888) about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious [System Firmware](https://attack.mitre.org/techniques/T0857).","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"evasion"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0820","external_id":"T0820"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:08.613Z","name":"Loss of Control","description":"Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.(Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impact"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_contributors":["Dragos Threat Intelligence"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0827","external_id":"T0827"},{"source_name":"BSI State of IT Security 2014","description":"Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ","url":"https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3"},{"source_name":"Corero","description":"Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ","url":"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"},{"source_name":"Michael J. Assante and Robert M. Lee","description":"Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"},{"source_name":"Tyson Macaulay","description":"Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ","url":"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-05-08T20:13:24.241Z","name":"Change Program State","description":"Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"execution"},{"kill_chain_name":"mitre-ics-attack","phase_name":"impair-process-control"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":true,"x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Field Controller/RTU/PLC/IED"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-ics-attack","url":"https://attack.mitre.org/techniques/T0875","external_id":"T0875"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:08.803Z","name":"Hooking","description":"Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)\n\nOne type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"execution"},{"kill_chain_name":"mitre-ics-attack","phase_name":"privilege-escalation"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.2","x_mitre_data_sources":["Process: OS API Execution","Process: Process Metadata"],"type":"attack-pattern","id":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0874","external_id":"T0874"},{"source_name":"Enterprise ATT&CK","description":"Enterprise ATT&CK Hooking Retrieved. 2019/10/27 ","url":"https://attack.mitre.org/techniques/T1179/"},{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-05-08T20:13:24.241Z","name":"Control Device Identification","description":"Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"discovery"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":true,"x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Windows","Field Controller/RTU/PLC/IED"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-ics-attack","url":"https://attack.mitre.org/techniques/T0808","external_id":"T0808"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-05-08T20:13:24.241Z","name":"Program Organization Units","description":"Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)\n \nStuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected (Citation: Stuxnet - Symantec - 201102):\n*Increase the size of the original block.\n*Write malicious code to the beginning of the block.\n*Insert the original OB1 code after the malicious code.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"lateral-movement"},{"kill_chain_name":"mitre-ics-attack","phase_name":"execution"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":true,"x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Windows","Safety Instrumented System/Protection Relay","Field Controller/RTU/PLC/IED"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-ics-attack","url":"https://attack.mitre.org/techniques/T0844","external_id":"T0844"},{"source_name":"Guidance - IEC61131","description":"John Karl-Heinz. (n.d.). Programming Industrial Automation Systems. Retrieved October 22, 2019.","url":"http://www.dee.ufrj.br/controle%20automatico/cursos/IEC61131-3%20Programming%20Industrial%20Automation%20Systems.pdf"},{"source_name":"PLCBlaster - Spenneberg","description":"Spenneberg, Ralf, Maik Brüggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.","url":"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"},{"source_name":"Stuxnet - Symantec - 201102","description":"Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.","url":"https://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/w32%20stuxnet%20dossier.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:08.992Z","name":"Graphical User Interface","description":"Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.\n\nIf physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"execution"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Process: Process Creation","Command: Command Execution","Module: Module Load","Logon Session: Logon Session Creation"],"type":"attack-pattern","id":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0823","external_id":"T0823"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:09.193Z","name":"Rogue Master","description":"Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. \n\nIn the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.2","x_mitre_data_sources":["Asset: Asset Inventory","Network Traffic: Network Traffic Flow","Operational Databases: Device Alarm","Network Traffic: Network Traffic Content","Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0848","external_id":"T0848"},{"source_name":"Bastille April 2017","description":"Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ","url":"https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack"},{"source_name":"Zack Whittaker April 2017","description":"Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ","url":"https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:09.388Z","name":"Native API","description":"Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. \n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"execution"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Process: OS API Execution"],"type":"attack-pattern","id":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","created":"2021-04-13T12:36:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0834","external_id":"T0834"},{"source_name":"The MITRE Corporation May 2017","description":"The MITRE Corporation 2017, May 31 ATT&CK T1106: Native API Retrieved. 2021/04/26 ","url":"https://attack.mitre.org/techniques/T1106/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:09.581Z","name":"Loss of Availability","description":"Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAdversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.\n\nIn the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. (Citation: Colonial Pipeline Company May 2021)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impact"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0826","external_id":"T0826"},{"source_name":"Colonial Pipeline Company May 2021","description":"Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08 ","url":"https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption"},{"source_name":"Corero","description":"Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ","url":"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"},{"source_name":"Michael J. Assante and Robert M. Lee","description":"Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"},{"source_name":"Tyson Macaulay","description":"Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ","url":"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:09.780Z","name":"Theft of Operational Information","description":"Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impact"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0882","external_id":"T0882"},{"source_name":"Mark Thompson March 2016","description":"Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ","url":"https://time.com/4270728/iran-cyber-attack-dam-fbi/"},{"source_name":"Danny Yadron December 2015","description":"Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ","url":"https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:09.988Z","name":"System Firmware","description":"System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"persistence"},{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Operational Databases: Device Alarm","Application Log: Application Log Content","Firmware: Firmware Modification","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0857","external_id":"T0857"},{"source_name":"Basnight, Zachry, et al.","description":"Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ","url":"http://www.sciencedirect.com/science/article/pii/S1874548213000231"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:10.181Z","name":"Masquerading","description":"Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. \n\nApplications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"evasion"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Service: Service Creation","File: File Modification","Process: Process Metadata","Command: Command Execution","Scheduled Job: Scheduled Job Modification","Service: Service Modification","File: File Metadata","Scheduled Job: Scheduled Job Creation"],"type":"attack-pattern","id":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0849","external_id":"T0849"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:10.374Z","name":"Program Download","description":"Adversaries may perform a program download to transfer a user program to a controller. \n\nVariations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download.\n\nThe granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space. \n\n[Modify Controller Tasking](https://attack.mitre.org/techniques/T0821) and [Modify Program](https://attack.mitre.org/techniques/T0889) represent the configuration changes that are transferred to a controller via a program download.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"lateral-movement"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Operational Databases: Device Alarm","Network Traffic: Network Traffic Content","Asset: Asset Inventory","Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0843","external_id":"T0843"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:10.581Z","name":"Replication Through Removable Media","description":"Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. \n\nOperators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. (Citation: Kernkraftwerk Gundremmingen April 2016) (Citation: Trend Micro April 2016) The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. (Citation: Christoph Steitz, Eric Auchard April 2016) (Citation: Catalin Cimpanu April 2016) (Citation: Peter Dockrill April 2016) (Citation: Lee Mathews April 2016) (Citation: Sean Gallagher April 2016) (Citation: Dark Reading Staff April 2016) The plant has since checked for infection and cleaned up more than 1,000 computers. (Citation: BBC April 2016) An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. (Citation: ESET April 2016)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Process: Process Creation","File: File Creation","Drive: Drive Creation","File: File Access"],"type":"attack-pattern","id":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0847","external_id":"T0847"},{"source_name":"BBC April 2016","description":"BBC 2016, April 28 German nuclear plant hit by computer viruses Retrieved. 2019/10/14 ","url":"https://www.bbc.com/news/technology-36158606"},{"source_name":"Catalin Cimpanu April 2016","description":"Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ","url":"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"},{"source_name":"Christoph Steitz, Eric Auchard April 2016","description":"Christoph Steitz, Eric Auchard 2016, April 26 German nuclear plant infected with computer viruses, operator says Retrieved. 2019/10/14 ","url":"https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS"},{"source_name":"Dark Reading Staff April 2016","description":"Dark Reading Staff 2016, April 28 German Nuclear Power Plant Infected With Malware Retrieved. 2019/10/14 ","url":"https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298"},{"source_name":"ESET April 2016","description":"ESET 2016, April 28 Malware found at a German nuclear power plant Retrieved. 2019/10/14 ","url":"https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/"},{"source_name":"Kernkraftwerk Gundremmingen April 2016","description":"Kernkraftwerk Gundremmingen 2016, April 25 Detektion von Bro-Schadsoftware an mehreren Rechnern Retrieved. 2019/10/14 ","url":"https://www.kkw-gundremmingen.de/presse.php?id=571"},{"source_name":"Lee Mathews April 2016","description":"Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses Retrieved. 2019/10/14 ","url":"https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/"},{"source_name":"Peter Dockrill April 2016","description":"Peter Dockrill 2016, April 28 Multiple Computer Viruses Have Been Discovered in This German Nuclear Plant Retrieved. 2019/10/14 ","url":"https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant"},{"source_name":"Sean Gallagher April 2016","description":"Sean Gallagher 2016, April 27 German nuclear plants fuel rod system swarming with old malware Retrieved. 2019/10/14 ","url":"https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/"},{"source_name":"Trend Micro April 2016","description":"Trend Micro 2016, April 27 Malware Discovered in German Nuclear Power Plant Retrieved. 2019/10/14 ","url":"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:10.768Z","name":"Screen Capture","description":"Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Command: Command Execution","Process: OS API Execution"],"type":"attack-pattern","id":"attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0852","external_id":"T0852"},{"source_name":"ICS-CERT October 2017","description":"ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ","url":"https://www.us-cert.gov/ncas/alerts/TA17-293A"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:10.962Z","name":"Hardcoded Credentials","description":"Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset. \n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets. \n","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"lateral-movement"},{"kill_chain_name":"mitre-ics-attack","phase_name":"persistence"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_contributors":["Aagam Shah, @neutrinoguy, ABB"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Network Traffic: Network Traffic Content","Logon Session: Logon Session Creation"],"type":"attack-pattern","id":"attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a","created":"2022-09-29T13:35:38.589Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0891","external_id":"T0891"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:11.152Z","name":"Valid Accounts","description":"Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. \n\nAdversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"persistence"},{"kill_chain_name":"mitre-ics-attack","phase_name":"lateral-movement"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["User Account: User Account Authentication","Logon Session: Logon Session Creation","Logon Session: Logon Session Metadata"],"type":"attack-pattern","id":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0859","external_id":"T0859"},{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:11.342Z","name":"Exploitation for Privilege Escalation","description":"Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation) \n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. (Citation: The MITRE Corporation)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"privilege-escalation"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","created":"2021-04-13T12:08:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0890","external_id":"T0890"},{"source_name":"The MITRE Corporation","description":"The MITRE Corporation The MITRE Corporation ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ","url":"https://attack.mitre.org/techniques/T1068/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:11.536Z","name":"Remote System Discovery","description":"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"discovery"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["File: File Access","Process: Process Creation","Network Traffic: Network Traffic Content","Network Traffic: Network Traffic Flow"],"type":"attack-pattern","id":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0846","external_id":"T0846"},{"source_name":"Enterprise ATT&CK January 2018","description":"Enterprise ATT&CK 2018, January 11 Remote System Discovery Retrieved. 2018/05/17 ","url":"https://attack.mitre.org/wiki/Technique/T1018"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-05-08T20:13:24.241Z","name":"Engineering Workstation Compromise","description":"Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_contributors":["Joe Slowik - Dragos"],"x_mitre_deprecated":true,"x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Engineering Workstation"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-ics-attack","url":"https://attack.mitre.org/techniques/T0818","external_id":"T0818"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:11.730Z","name":"Connection Proxy","description":"Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.\n\nThe definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.\n\nThe network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. (Citation: Enterprise ATT&CK January 2018)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"command-and-control"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Network Traffic: Network Traffic Content","Network Traffic: Network Traffic Flow"],"type":"attack-pattern","id":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0884","external_id":"T0884"},{"source_name":"Enterprise ATT&CK January 2018","description":"Enterprise ATT&CK 2018, January 11 Connection Proxy Retrieved. 2018/05/17 ","url":"https://attack.mitre.org/wiki/Technique/T1090"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:11.924Z","name":"Standard Application Layer Protocol","description":"Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"command-and-control"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Network Traffic: Network Traffic Flow","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0869","external_id":"T0869"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"x_mitre_platforms":["Safety Instrumented System/Protection Relay","Field Controller/RTU/PLC/IED"],"x_mitre_domains":["ics-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-05-21T17:43:26.506Z","modified":"2022-05-06T17:47:24.401Z","name":"Modify Control Logic","description":"Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. \n\nProgram code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active.\n\nAn adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools.\n\nAn adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. \n\nIt is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the “real” pressure is for given analog signals and then automatically linearize the measurement to what would be the “real” pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be “corrected” during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. (Citation: Stuxnet - Langner - 201311)\n\nIn the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. (Citation: Maroochy - MITRE - 200808)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impair-process-control"},{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"external_references":[{"source_name":"mitre-ics-attack","url":"https://attack.mitre.org/techniques/T0833","external_id":"T0833"},{"source_name":"Stuxnet - Langner - 201311","description":"Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.","url":"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"},{"source_name":"Maroochy - MITRE - 200808","description":"Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia. Retrieved March 27, 2018.","url":"https://www.mitre.org/sites/default/files/pdf/08%201145.pdf"}],"x_mitre_deprecated":true,"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:12.125Z","name":"Remote Services","description":"Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) \n\nRemote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859).\n\nSpecific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software.\n\nBased on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"},{"kill_chain_name":"mitre-ics-attack","phase_name":"lateral-movement"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_contributors":["Daisuke Suzuki"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Network Traffic: Network Traffic Flow","Module: Module Load","Logon Session: Logon Session Creation","Process: Process Creation","Command: Command Execution","Network Traffic: Network Connection Creation","Network Share: Network Share Access"],"type":"attack-pattern","id":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","created":"2021-04-12T19:26:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0886","external_id":"T0886"},{"source_name":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017","description":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ","url":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"},{"source_name":"CISA AA21-201A Pipeline Intrusion July 2021","description":"Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ","url":"https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"},{"source_name":"Dragos December 2017","description":"Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ","url":"https://dragos.com/blog/trisis/TRISIS-01.pdf"},{"source_name":"Joe Slowik April 2019","description":"Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ","url":"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-05-08T20:13:24.241Z","name":"I/O Module Discovery","description":"Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"discovery"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":true,"x_mitre_domains":["ics-attack"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Windows","Field Controller/RTU/PLC/IED"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-ics-attack","url":"https://attack.mitre.org/techniques/T0824","external_id":"T0824"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_is_subtechnique":false},{"modified":"2023-10-13T17:57:12.329Z","name":"Denial of Control","description":"Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nIn the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"impact"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","type":"attack-pattern","id":"attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0813","external_id":"T0813"},{"source_name":"Corero","description":"Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ","url":"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"},{"source_name":"Mark Loveless April 2017","description":"Mark Loveless 2017, April 11 THE DALLAS COUNTY SIREN HACK Retrieved. 2020/11/06 ","url":"https://duo.com/decipher/the-dallas-county-siren-hack"},{"source_name":"Michael J. Assante and Robert M. Lee","description":"Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297"},{"source_name":"Tyson Macaulay","description":"Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ","url":"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:12.528Z","name":"Modify Alarm Settings","description":"Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. \n\nIf an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. \n\nIn ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. ","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.2","x_mitre_data_sources":["Application Log: Application Log Content","Asset: Asset Inventory","Operational Databases: Process History/Live Data","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0838","external_id":"T0838"},{"source_name":"Jos Wetzels, Marina Krotofil 2019","description":"Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ","url":"https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:12.723Z","name":"Commonly Used Port","description":"Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. \n \n * TCP:80 (HTTP) \n * TCP:443 (HTTPS) \n * TCP/UDP:53 (DNS) \n * TCP:1024-4999 (OPC on XP/Win2k3) \n * TCP:49152-65535 (OPC on Vista and later) \n * TCP:23 (TELNET) \n * UDP:161 (SNMP) \n * TCP:502 (MODBUS) \n * TCP:102 (S7comm/ISO-TSAP) \n * TCP:20000 (DNP3) \n * TCP:44818 (Ethernet/IP)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"command-and-control"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_contributors":["Matan Dobrushin - Otorio"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Network Traffic: Network Traffic Flow","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0885","external_id":"T0885"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:12.926Z","name":"Project File Infection","description":"Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"persistence"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["File: File Modification"],"type":"attack-pattern","id":"attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0873","external_id":"T0873"},{"source_name":"Beckhoff","description":"Beckhoff TwinCAT 3 Source Control: Project Files Retrieved. 2019/11/21 ","url":"https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id="},{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"},{"source_name":"PLCdev","description":"PLCdev Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 Siemens SIMATIC Step 7 Programmer's Handbook Retrieved. 2019/11/21 ","url":"http://www.plcdev.com/book/export/html/373"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2024-03-29T14:04:50.569Z","name":"Network Connection Enumeration","description":"Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"discovery"}],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["None"],"x_mitre_version":"1.2","x_mitre_data_sources":["Command: Command Execution","Process: Process Creation","Script: Script Execution","Process: OS API Execution"],"type":"attack-pattern","id":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0840","external_id":"T0840"},{"source_name":"MITRE","description":"MITRE System Network Connections Discovery Retrieved. 2018/05/31 ","url":"https://attack.mitre.org/wiki/Technique/T1049"},{"source_name":"Netstat","description":"Wikipedia. (n.d.). Netstat. Retrieved May 23, 2022.","url":"https://en.wikipedia.org/wiki/Netstat"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-13T17:57:13.327Z","name":"Lateral Tool Transfer","description":"Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)\n\nIn control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"lateral-movement"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Network Share: Network Share Access","File: File Metadata","File: File Creation","Network Traffic: Network Traffic Content","Command: Command Execution","Process: Process Creation","Network Traffic: Network Traffic Flow"],"type":"attack-pattern","id":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0867","external_id":"T0867"},{"source_name":"Enterprise ATT&CK","description":"Enterprise ATT&CK Enterprise ATT&CK Lateral Tool Transfer Retrieved. 2019/10/27 Lateral Tool Transfer Retrieved. 2019/10/27 ","url":"https://attack.mitre.org/techniques/T1570/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:13.531Z","name":"Module Firmware","description":"Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"persistence"},{"kill_chain_name":"mitre-ics-attack","phase_name":"impair-process-control"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.1","x_mitre_data_sources":["Operational Databases: Device Alarm","Application Log: Application Log Content","Network Traffic: Network Traffic Content","Firmware: Firmware Modification"],"type":"attack-pattern","id":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0839","external_id":"T0839"},{"source_name":"Daniel Peck, Dale Peterson January 2009","description":"Daniel Peck, Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19 ","url":"https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-13T17:57:13.719Z","name":"Internet Accessible Device","description":"Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique.\n\nAdversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. (Citation: NCCIC January 2014) These services may be discoverable through the use of online scanning tools. \n\nIn the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. (Citation: NCCIC January 2014) (Citation: Danny Yadron December 2015) (Citation: Mark Thompson March 2016)\n\nIn Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. (Citation: Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler)","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"initial-access"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Logon Session: Logon Session Metadata","Network Traffic: Network Traffic Flow","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307","created":"2020-05-21T17:43:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0883","external_id":"T0883"},{"source_name":"Danny Yadron December 2015","description":"Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ","url":"https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559"},{"source_name":"Mark Thompson March 2016","description":"Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ","url":"https://time.com/4270728/iran-cyber-attack-dam-fbi/"},{"source_name":"NCCIC January 2014","description":"NCCIC 2014, January 1 Internet Accessible Control Systems At Risk Retrieved. 2019/11/07 ","url":"https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf"},{"source_name":"Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler","description":"Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats Retrieved. 2021/04/12 ","url":"https://documents.trendmicro.com/assets/white_papers/wp-caught-in-the-act-running-a-realistic-factory-honeypot-to-capture-real-threats.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2024-04-09T20:51:03.049Z","name":"Data from Local System","description":"Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.\n\nAdversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system. ","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["File: File Access","Process: Process Creation","Script: Script Execution","Process: OS API Execution","Command: Command Execution"],"type":"attack-pattern","id":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","created":"2023-03-30T18:56:02.424Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0893","external_id":"T0893"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-13T17:57:14.123Z","name":"Change Credential","description":"Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.\n\nAn adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device’s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. \n\nAdditionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.\n\n\nA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021) \n","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"inhibit-response-function"}],"x_mitre_attack_spec_version":"3.1.0","x_mitre_contributors":["Felix Eberstaller"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["None"],"x_mitre_version":"1.0","x_mitre_data_sources":["Operational Databases: Device Alarm","Network Traffic: Network Traffic Content"],"type":"attack-pattern","id":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","created":"2023-03-30T14:04:17.023Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0892","external_id":"T0892"},{"source_name":"German BAS Lockout Dec 2021","description":"Kelly Jackson Higgins. (2021, December 20). Lights Out: Cyberattacks Shut Down Building Automation Systems. Retrieved March 30, 2023.","url":"https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-20T17:01:10.138Z","name":"Modify Program","description":"Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. \n\nProgram modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) (Citation: IEC February 2013) and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another. \n\nSome programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.","kill_chain_phases":[{"kill_chain_name":"mitre-ics-attack","phase_name":"persistence"}],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["ics-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["None"],"x_mitre_version":"1.2","x_mitre_data_sources":["Network Traffic: Network Traffic Content","Operational Databases: Device Alarm","Asset: Software","Application Log: Application Log Content"],"type":"attack-pattern","id":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","created":"2021-04-13T11:15:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T0889","external_id":"T0889"},{"source_name":"IEC February 2013","description":"IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ","url":"https://webstore.iec.ch/publication/4552"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--007a2c53-fc5c-4750-aff0-defb282e178a","created":"2023-09-29T16:30:30.829Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:30:30.829Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--00b98fa6-4913-40a4-8920-befed8621c41","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:15:33.180Z","description":"Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--00b9e63b-57a7-408e-83d6-fc03535010a6","created":"2023-09-27T14:39:33.141Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-27T15:17:22.734Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used Valid Accounts taken from the Windows Domain Controller to access the control system Virtual Private Network (VPN) used by grid operators. (Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.104Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--011f1d16-c9f1-48ac-94f1-165466c155f8","created":"2023-09-29T18:43:33.176Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:43:33.176Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd","created":"2023-09-29T16:30:58.431Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:30:58.431Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--01335508-22bb-4185-a7e2-49ec9bee6423","created":"2023-09-28T20:15:20.293Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:15:20.293Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--01b4a92f-da42-4dfa-8d59-53709b65940e","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.203Z","relationship_type":"mitigates","description":"Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.\n","source_ref":"course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0","created":"2023-09-29T18:42:27.894Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:42:27.894Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124","created":"2023-09-29T18:55:47.037Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:55:47.037Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50","created":"2023-09-29T17:42:44.516Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:42:44.516Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0278ddbc-67d5-444d-8082-bf9974dee920","created":"2022-05-11T16:22:58.808Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:47:45.775Z","description":"Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.","relationship_type":"detects","source_ref":"x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.177Z","relationship_type":"mitigates","description":"Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c","created":"2023-09-29T17:59:31.091Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:59:31.091Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--033b4401-261f-498b-89f3-2bad9ff5907a","created":"2023-09-29T17:58:15.338Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:58:15.338Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:27:54.588Z","description":"All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57","created":"2023-09-29T16:29:03.438Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:29:03.438Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022","created":"2022-09-27T17:39:15.655Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:56:24.399Z","description":"Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB).","relationship_type":"detects","source_ref":"x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--03b4dae7-3b20-4ea9-9f7c-6c97582f98b7","created":"2024-03-28T14:33:00.899Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Triton-EENews-2017","description":"Blake Sobczak. (2019, March 7). The inside story of the world’s most dangerous malware. Retrieved March 25, 2024.","url":"https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-10T15:00:10.292Z","description":"In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) changed phone numbers tied to certain specific accounts in a designated contact list. They then used the changed phone numbers to redirect network traffic to websites controlled by them, thereby allowing them to capture and use any login codes sent to the devices via text message.(Citation: Triton-EENews-2017)","relationship_type":"uses","source_ref":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.209Z","relationship_type":"mitigates","description":"A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.\n","source_ref":"course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e","target_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91","created":"2023-03-30T19:00:12.380Z","revoked":false,"external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:00:12.380Z","description":"Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)","relationship_type":"mitigates","source_ref":"course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc","target_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361","created":"2023-09-29T17:40:34.866Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:40:34.866Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--042243fd-bfe0-4961-96de-a36232d3ff74","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Symantec Security Response July 2014","description":"Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ","url":"https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries."}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T16:04:03.547Z","description":"[Dragonfly](https://attack.mitre.org/groups/G0035) utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) or [Trojan.Karagany](https://attack.mitre.org/software/S0094). (Citation: Symantec Security Response July 2014)","relationship_type":"uses","source_ref":"intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--04882fef-2a6b-40d0-a101-da9c76a3572e","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.128Z","relationship_type":"mitigates","description":"Restrict the use of untrusted or unknown libraries, such as remote or unknown DLLs.\n","source_ref":"course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3","target_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0491ef92-2941-4841-9fe6-2e1809788b52","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.210Z","relationship_type":"mitigates","description":"Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863","created":"2023-09-28T20:29:11.776Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:29:11.776Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--04bf72de-75ba-4d95-ad24-f93ad835180c","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:54:26.520Z","description":"[KillDisk](https://attack.mitre.org/software/S0607) erases the master boot record (MBR) and system logs, leaving the system unusable. (Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6","target_ref":"attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.218Z","relationship_type":"mitigates","description":"Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--052552e9-eac0-4b37-9df8-2e921053e305","created":"2023-03-30T19:05:17.003Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:05:17.003Z","description":"Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases.","relationship_type":"detects","source_ref":"x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71","target_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--058396ca-3af4-444b-b261-74485c47e68c","created":"2017-05-31T21:33:27.074Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Joe Slowik April 2019","description":"Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ","url":"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:30:17.124Z","description":"[Bad Rabbit](https://attack.mitre.org/software/S0606) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)","relationship_type":"uses","source_ref":"malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--064dfd6f-db5d-48e8-b350-9dd47a270911","created":"2022-09-28T20:22:09.916Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CISA-AA22-103A","description":"DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.","url":"https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T15:16:59.156Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely read the OCP UA structure from devices.(Citation: CISA-AA22-103A) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--06782c99-93de-4db9-9c30-6f96aef894d2","created":"2023-03-30T19:06:49.501Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:06:49.501Z","description":"Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--067932c3-0011-4ca2-9bbe-721c631e4e41","created":"2021-04-13T12:45:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Daavid Hentunen, Antti Tikkanen June 2014","description":"Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ","url":"https://www.f-secure.com/weblog/archives/00002718.html"},{"source_name":"ICS-CERT August 2018","description":"ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ","url":"https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:19:04.571Z","description":"The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)","relationship_type":"uses","source_ref":"malware--083bb47b-02c8-4423-81a2-f9ef58572974","target_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.183Z","relationship_type":"mitigates","description":"Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--06f15629-d050-434a-aed1-3bb3f90c97b2","created":"2022-09-27T15:22:37.864Z","revoked":false,"external_references":[{"source_name":"Elastic - Koadiac Detection with EQL","description":"Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.","url":"https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T15:22:37.864Z","description":"Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL) For added context on adversary procedures and background see [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:12:43.166Z","description":"Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages over serial COM ports are blocked.","relationship_type":"detects","source_ref":"x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e","target_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e","created":"2023-09-28T21:28:51.104Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:28:51.104Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--076bfea6-309e-4804-a147-dffe93983481","created":"2023-09-28T20:16:17.295Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:16:17.295Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--07c0e166-f05e-413f-8f3e-f487317c9626","created":"2023-03-22T15:53:59.953Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-22T15:53:59.953Z","description":"Devices and programs that receive command messages from remote systems (e.g., control servers) should verify those commands before taking any actions on them.","relationship_type":"mitigates","source_ref":"course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--07e06d21-e666-4274-838a-ef9996fdc0cd","created":"2023-09-28T20:05:45.540Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:05:45.540Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44","created":"2023-09-29T16:47:20.192Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:47:20.192Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--07f4d65d-4572-450f-8cb2-908fee97bd67","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.228Z","relationship_type":"mitigates","description":"Application control may be able to prevent the running of executables masquerading as other files.\n","source_ref":"course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--08302021-aacf-428f-a0ce-e1034d925fb0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.115Z","relationship_type":"mitigates","description":"Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n","source_ref":"course-of-action--d48b79b2-076d-483e-949c-0d38aa347499","target_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--088580e9-ccea-426e-9411-c1de60de650d","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.206Z","relationship_type":"mitigates","description":"Devices should authenticate all messages between master and outstation assets.\n","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:57:47.375Z","description":"Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0951222a-42d1-4635-bb12-5285bc6500e0","created":"2023-09-28T20:15:45.244Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:15:45.244Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--095456bc-898b-4c76-a062-ff0ea90aeab4","created":"2023-09-28T21:25:05.393Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:25:05.393Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--096c3136-dac9-4729-98c0-c8d870f2bd13","created":"2023-09-28T19:42:01.055Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:42:01.055Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--09977105-562f-4f45-a151-27a11a18031e","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.164Z","relationship_type":"mitigates","description":"The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n","source_ref":"course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--09e0c991-1707-431b-a0fd-fd8215e6d552","created":"2023-09-28T20:30:12.291Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:30:12.291Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6","created":"2023-09-28T19:53:56.266Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:53:56.266Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:41:46.146Z","description":"Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.","relationship_type":"detects","source_ref":"x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0a421699-f013-49f4-9d9f-01d95d210510","created":"2023-09-28T19:37:25.214Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:37:25.214Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a","created":"2023-09-29T17:38:04.048Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:38:04.048Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:29:20.151Z","description":"All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91","created":"2023-10-02T20:23:11.865Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:23:11.865Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42","created":"2023-09-28T19:59:10.561Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:59:10.561Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f","created":"2023-09-28T21:22:48.239Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:22:48.239Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0b7f643e-8975-4998-acbb-7405fa944a68","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:54:38.303Z","description":"Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b","created":"2023-09-29T18:46:22.739Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:46:22.739Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016","created":"2023-09-28T20:10:34.479Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:10:34.479Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Jacqueline O'Leary et al. September 2017","description":"Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ","url":"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"},{"source_name":"Junnosuke Yagi March 2017","description":"Junnosuke Yagi 2017, March 07 Trojan.Stonedrill Retrieved. 2019/12/05 ","url":"https://www.symantec.com/security-center/writeup/2017-030708-4403-99"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T15:41:15.111Z","description":"[APT33](https://attack.mitre.org/groups/G0064) utilize backdoors capable of capturing screenshots once installed on a system. (Citation: Jacqueline O'Leary et al. September 2017)(Citation: Junnosuke Yagi March 2017)","relationship_type":"uses","source_ref":"intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f","target_ref":"attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444","created":"2017-05-31T21:33:27.074Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017","description":"Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ","url":"https://securelist.com/bad-rabbit-ransomware/82851/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:30:30.761Z","description":"[Bad Rabbit](https://attack.mitre.org/software/S0606) ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)","relationship_type":"uses","source_ref":"malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0c284ce0-0be2-4164-b686-7c383b246aec","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ESET Research Whitepapers September 2018","description":"ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ","url":"https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf"},{"source_name":"Intel","description":"Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ","url":"https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf"},{"source_name":"N/A","description":"N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ","url":"https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T13:19:56.151Z","description":"Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n","relationship_type":"mitigates","source_ref":"course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a","created":"2022-09-27T15:49:26.908Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T15:49:26.908Z","description":"Monitor asset application logs for information that indicate task parameters have changed.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0c72593d-fcc6-4023-8771-bed5e243310e","created":"2023-09-28T21:24:37.417Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:24:37.417Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.070Z","relationship_type":"mitigates","description":"Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n","source_ref":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","target_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8","created":"2023-09-28T19:51:27.775Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:51:27.775Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0d305450-d5ca-46fe-8583-36c983dd0a88","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:43:33.144Z","description":"Monitor ICS management protocols for functions that change an asset’s operating mode.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0d4f2f88-e176-42c7-8258-52b345045662","created":"2022-09-28T20:29:51.844Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CISA-AA22-103A","description":"DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.","url":"https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T15:17:08.493Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely send commands to a malicious agent uploaded on Omron PLCs over HTTP or HTTPS.(Citation: CISA-AA22-103A) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0d52eea3-394e-492b-944b-9ccb6348329d","created":"2023-09-28T21:14:41.633Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:14:41.633Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0d540b53-6a5d-4f56-9dee-47707443b149","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-30T16:00:14.208Z","description":"Monitor ICS automation network protocols for functions related to reading an operational process state (e.g., “Read” function codes in protocols like DNP3 or Modbus). In some cases, there may be multiple ways to monitor an operational process’ state, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0d8e0324-ba8e-4712-a123-60377afe94da","created":"2023-09-29T18:48:17.073Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:48:17.073Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136","created":"2023-09-29T17:57:12.010Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:57:12.010Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc","created":"2022-09-26T14:27:28.370Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:27:28.370Z","description":"Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0df0cb6d-0067-48b2-a33e-495415713ab7","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.181Z","relationship_type":"mitigates","description":"Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81","created":"2024-04-09T20:58:17.933Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:58:17.933Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954","created":"2023-09-29T16:27:50.949Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:27:50.949Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0e275c19-7688-47f8-8cd5-85eaacec465b","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:34:04.450Z","description":"Monitor industrial process history data for events that correspond with command message functions, such as setpoint modification or changes to system status for key devices. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.","relationship_type":"detects","source_ref":"x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:09:52.454Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.202Z","relationship_type":"mitigates","description":"Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n","source_ref":"course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos","description":"Dragos Allanite Retrieved. 2019/10/27 ","url":"https://dragos.com/resource/allanite/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T15:40:08.649Z","description":"[ALLANITE](https://attack.mitre.org/groups/G1000) utilized credentials collected through phishing and watering hole attacks. (Citation: Dragos)","relationship_type":"uses","source_ref":"intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29","created":"2023-09-29T17:57:34.378Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:57:34.378Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Andy Greenburg June 2019","description":"Andy Greenburg 2019, June 20 Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount Retrieved. 2020/01/03 ","url":"https://www.wired.com/story/iran-hackers-us-phishing-tensions/"},{"source_name":"Jacqueline O'Leary et al. September 2017","description":"Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ","url":"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T15:41:49.943Z","description":"[APT33](https://attack.mitre.org/groups/G0064) sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. (Citation: Jacqueline O'Leary et al. September 2017) [APT33](https://attack.mitre.org/groups/G0064) has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. (Citation: Andy Greenburg June 2019)","relationship_type":"uses","source_ref":"intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0f5295ce-d705-4541-8dda-c569b126d103","created":"2023-10-02T20:24:03.723Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:24:03.723Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72","created":"2023-09-29T17:09:11.210Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:09:11.210Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.197Z","relationship_type":"mitigates","description":"Devices should authenticate all messages between master and outstation assets.\n","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.209Z","relationship_type":"mitigates","description":"Ensure proper network segmentation between higher level corporate resources and the control process environment.\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.137Z","relationship_type":"mitigates","description":"Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n","source_ref":"course-of-action--da44255d-85c5-492c-baf3-ee823d44f848","target_ref":"attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.229Z","relationship_type":"mitigates","description":"Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--10626671-941d-4a82-a835-56059058ef87","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.065Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--106530e1-375a-4ac4-befb-8297b3b05610","created":"2023-09-29T18:55:58.199Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:55:58.199Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--107d9a23-991b-44f5-97f6-7f6983c7013a","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.099Z","relationship_type":"mitigates","description":"Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--10e87e4b-a231-42e3-a011-0031f8226936","created":"2022-09-26T17:15:51.819Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T17:15:51.819Z","description":"Monitor for firmware changes which may be observable via operational alarms from devices.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:09:35.145Z","description":"Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if reporting messages are blocked. ","relationship_type":"detects","source_ref":"x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e","target_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--111f437a-c67d-40e4-9515-7e9b22e65eff","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.234Z","relationship_type":"mitigates","description":"Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. (Citation: Microsoft May 2017) (Citation: Microsoft August 2018)These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft February 2019)\n","source_ref":"course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","external_references":[{"source_name":"Microsoft May 2017","description":"Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 ","url":"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft"},{"source_name":"Microsoft August 2018","description":"Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 ","url":"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models"},{"source_name":"Microsoft February 2019","description":"Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 ","url":"https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--11840b30-f0d1-4df5-a960-cdb80749c32a","created":"2023-09-29T17:07:25.209Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:07:25.209Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--11a82651-4d69-4738-89c6-17d0243cbbb0","created":"2023-09-29T17:37:26.536Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:37:26.536Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T17:07:03.003Z","description":"Program uploads may be observable in ICS management protocols or file transfer protocols. Note when protocol functions related to program uploads occur. In cases where the ICS protocols is not well understood, one option is to examine network traffic for the program files themselves using signature-based tools.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab","created":"2021-04-13T12:28:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Ben Hunter and Fred Gutierrez July 2020","description":"Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ","url":"https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems"},{"source_name":"Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020","description":"Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ","url":"https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:45:28.094Z","description":"Before encrypting the process, [EKANS](https://attack.mitre.org/software/S0605) first kills the process if its name matches one of the processes defined on the kill-list. (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. (Citation: Ben Hunter and Fred Gutierrez July 2020)","relationship_type":"uses","source_ref":"malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--128de3f9-df58-4122-9523-0ac65a6ebf71","created":"2023-09-29T17:45:20.237Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:45:20.237Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:10:34.653Z","description":"Monitor for a loss of network communications, which may indicate this technique is being used.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693","type":"relationship","created":"2022-03-09T23:42:34.056Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Secureworks IRON VIKING ","url":"https://www.secureworks.com/research/threat-profiles/iron-viking","description":"Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."}],"modified":"2022-03-09T23:42:34.056Z","description":"(Citation: Secureworks IRON VIKING )","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.077Z","relationship_type":"mitigates","description":"Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4","created":"2023-09-28T21:13:23.057Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:13:23.057Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36","created":"2023-09-28T19:39:58.335Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:39:58.335Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f","created":"2022-09-26T18:41:48.947Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T18:41:48.947Z","description":"Monitor for firmware changes which may be observable via operational alarms from devices.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--13809e98-1d74-4c39-b882-9d523c76cbde","created":"2021-04-13T12:36:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Jos Wetzels January 2018","description":"Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ","url":"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:24:07.929Z","description":"[Triton](https://attack.mitre.org/software/S1009)'s imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. (Citation: Jos Wetzels January 2018)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.071Z","relationship_type":"mitigates","description":"Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n","source_ref":"course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a","target_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--13d76624-7049-45c5-94d3-8f172b7f6336","created":"2023-09-27T14:48:58.922Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-27T15:18:18.595Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) established an internal proxy prior to the installation of backdoors within the network. (Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:38:23.604Z","description":"Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6","created":"2023-10-02T20:24:12.666Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:24:12.666Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc","created":"2023-09-29T16:32:33.078Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:32:33.078Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--147c2158-b2af-4d88-9d59-594c67a9200e","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.204Z","relationship_type":"mitigates","description":"Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495","created":"2023-09-29T16:40:06.079Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:40:06.079Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--15188683-7ded-4578-9102-73459ecbe095","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:37:54.914Z","description":"Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host’s GUI.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a","created":"2023-09-28T19:47:25.303Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:47:25.303Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--154de746-5ea2-43b4-97b2-221b2433cbde","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:48:49.308Z","description":"Monitor ICS automation network protocols for information that an asset has been placed into Firmware Update Mode.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--159fb736-ba92-4564-aa6d-db6f64497763","created":"2023-09-28T20:25:59.717Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:25:59.717Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--15a39e3b-124e-4e68-95b5-7b8020225c12","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:30:27.289Z","description":"Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. ","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1673b2e2-7799-4b5f-b5a9-2c51426a6916","created":"2024-03-25T20:10:21.706Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Jamie Tarabay and Katrina Manson December 2023","description":"Jamie Tarabay and Katrina Manson. (2023, December 22). Iranian-Linked Hacks Expose Failure to Safeguard US Water System. Retrieved March 25, 2024.","url":"https://www.bloomberg.com/news/articles/2023-12-22/iranian-linked-hacks-expose-failure-to-safeguard-us-water-system"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:11:42.337Z","description":"During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) caused multiple businesses to halt operations due to the unavailability of the [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) and [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). These victims covered multiple sectors.(Citation: Jamie Tarabay and Katrina Manson December 2023)","relationship_type":"uses","source_ref":"campaign--8fda050f-470d-4401-994e-35c1a6c301de","target_ref":"attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b","created":"2023-09-28T20:06:03.889Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:06:03.889Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4","created":"2023-09-29T18:48:52.853Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:48:52.853Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--16c7240e-0559-4c49-9003-1bfe97074252","created":"2024-04-09T21:02:28.446Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T21:02:28.446Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d","created":"2023-03-30T18:57:58.377Z","revoked":false,"external_references":[{"source_name":"Symantec","description":"Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ","url":"https://docs.broadcom.com/doc/w32-duqu-11-en"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T18:57:58.377Z","description":"[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data from local systems. The modules are named: infostealer 1, infostealer 2 and reconnaissance. (Citation: Symantec)","relationship_type":"uses","source_ref":"malware--68dca94f-c11d-421e-9287-7c501108e18c","target_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749","created":"2023-09-29T17:05:30.498Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:05:30.498Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.128Z","relationship_type":"mitigates","description":"This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n","source_ref":"course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433","target_ref":"attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa","created":"2023-10-02T20:18:01.546Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:18:01.546Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab","created":"2023-09-29T17:45:45.485Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:45:45.485Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--17fdec71-98e8-4314-a1be-037edede58bd","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:26:48.171Z","description":"Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1865830b-511d-4302-99f7-6143647a8e40","created":"2023-10-02T20:23:52.339Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:23:52.339Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--18ab56e8-79ce-481d-9ab4-e558fbfb5ac5","created":"2024-03-25T20:08:41.065Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CISA AA23-335A IRGC-Affiliated December 2023","description":"DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"},{"source_name":"CISA Unitronics November 2023","description":"DHS/CISA. (2023, November 28). Exploitation of Unitronics PLCs used in Water and Wastewater Systems. Retrieved March 25, 2024.","url":"https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems"},{"source_name":"Frank Bajak and Marc Levy December 2023","description":"Frank Bajak and Marc Levy. (2023, December 2). Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say. Retrieved March 25, 2024.","url":"https://apnews.com/article/hackers-iran-israel-water-utilities-critical-infrastructure-cisa-554b2aa969c8220016ab2ef94bd7635b"},{"source_name":"Jamie Tarabay and Katrina Manson December 2023","description":"Jamie Tarabay and Katrina Manson. (2023, December 22). Iranian-Linked Hacks Expose Failure to Safeguard US Water System. Retrieved March 25, 2024.","url":"https://www.bloomberg.com/news/articles/2023-12-22/iranian-linked-hacks-expose-failure-to-safeguard-us-water-system"},{"source_name":"WPXI Aliquippa Water November 2023","description":"WPXI. (2023, November 27). Officials investigating cyberattack on Municipal Water Authority of Aliquippa. Retrieved March 25, 2024.","url":"https://www.wpxi.com/news/local/officials-investigating-cyberattack-municipal-water-authority-aliquippa/K5A3BEW35RAXJPMNHNE35RZ7WA/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:11:59.782Z","description":"During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) defaced controllers’ [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002), which prevented multiple entities from being able to operate their devices normally.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: CISA Unitronics November 2023)(Citation: Jamie Tarabay and Katrina Manson December 2023)(Citation: Frank Bajak and Marc Levy December 2023) Additionally, the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) caused a communications failure in a remote pumping station.(Citation: WPXI Aliquippa Water November 2023)","relationship_type":"uses","source_ref":"campaign--8fda050f-470d-4401-994e-35c1a6c301de","target_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--18af193c-160a-4cae-9078-4d69de5c2347","created":"2023-09-29T18:56:21.340Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:56:21.340Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75","created":"2023-09-29T18:02:01.822Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:02:01.822Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--18ef2d69-d11a-4d31-a803-da989c4073f7","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.096Z","relationship_type":"mitigates","description":"Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n","source_ref":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","target_ref":"attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac","external_references":[{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--193c3cd3-0b22-4839-a1fa-413aee61e882","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:30:40.378Z","description":"Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--19ab6776-42de-48af-975a-568d31a3bb66","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.152Z","relationship_type":"mitigates","description":"Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016) (Citation: N/A)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"},{"source_name":"N/A","description":"N/A Department of Homeland Security 2016, September Retrieved. 2020/09/25 Alarm Management for Process Control Retrieved. 2020/09/25 ","url":"https://www.exida.com/images/uploads/18492275-Alarm-Management-for-Process-Control.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348","created":"2022-09-28T21:18:55.279Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CISA-AA22-103A","description":"DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.","url":"https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T15:17:21.181Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can send custom Modbus commands to write register values on Schneider PLCs.(Citation: CISA-AA22-103A) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can send write tag values on OPC UA servers.(Citation: CISA-AA22-103A) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c","created":"2023-09-28T20:11:23.956Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:11:23.956Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826","created":"2023-09-28T21:13:49.529Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:13:49.529Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0","created":"2023-10-02T20:18:45.122Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:18:45.122Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.106Z","relationship_type":"mitigates","description":"Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled.\n","source_ref":"course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--1a900ac4-c150-4b57-a899-990854b01d4b","created":"2023-09-29T16:33:50.423Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:33:50.423Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356","created":"2023-09-29T18:57:45.950Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:57:45.950Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","target_ref":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d","created":"2023-09-28T20:09:21.736Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:09:21.736Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1aa02c37-973e-46bd-ab45-609463e514e9","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.228Z","relationship_type":"mitigates","description":"If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.\n","source_ref":"course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--1acc3a43-2961-4e4c-a237-f426a2df6be5","created":"2024-03-25T20:05:52.868Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CISA AA23-335A IRGC-Affiliated December 2023","description":"DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"},{"source_name":"CISA Unitronics November 2023","description":"DHS/CISA. (2023, November 28). Exploitation of Unitronics PLCs used in Water and Wastewater Systems. Retrieved March 25, 2024.","url":"https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:12:20.534Z","description":"During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) discovered and exploited default credentials found on many Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). For many of these devices, the default password was set to ‘1111’.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: CISA Unitronics November 2023)","relationship_type":"uses","source_ref":"campaign--8fda050f-470d-4401-994e-35c1a6c301de","target_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1acccbe8-64e1-49ad-87df-215d5c87f050","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:42:43.105Z","description":"Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.","relationship_type":"detects","source_ref":"x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185","created":"2023-09-29T18:01:06.725Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:01:06.725Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d","created":"2024-09-11T22:51:15.202Z","revoked":false,"external_references":[{"source_name":"Claroty Fuxnet 2024","description":"Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.","url":"https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-11T22:51:15.202Z","description":"[Fuxnet](https://attack.mitre.org/software/S1157) execution relied upon accessing Internet-accessible devices for initial access and deployment.(Citation: Claroty Fuxnet 2024)","relationship_type":"uses","source_ref":"malware--931e2489-8078-4f9f-85b2-a9211950e75b","target_ref":"attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5","created":"2023-09-29T17:43:41.332Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:43:41.332Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b","created":"2023-09-29T16:41:44.745Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:41:44.745Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738","created":"2023-09-29T18:00:32.581Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:00:32.581Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:11:33.323Z","description":"Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.","relationship_type":"detects","source_ref":"x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95","target_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1c3d966a-5995-48ed-919d-25b972010fe9","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"IEC February 2019","description":"IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ","url":"https://webstore.iec.ch/publication/34421"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:37:12.017Z","description":"Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n","relationship_type":"mitigates","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1c7df4f1-cee5-42c6-a974-29552552666f","created":"2023-09-28T19:47:08.952Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:47:08.952Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1c831708-28c2-47ae-a158-39f1f7b73406","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-29T20:10:57.573Z","description":"The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)\n\n[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081","created":"2023-09-29T18:46:12.052Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:46:12.052Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1d35c947-447f-4693-9ab0-32dff56e664e","created":"2021-04-13T12:45:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-29T20:19:47.429Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) enumerates and parses the System Data Blocks (SDB) using the s7blk_findfirst and s7blk_findnext API calls in s7otbxdx.dll. Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)\n\n[Stuxnet](https://attack.mitre.org/software/S0603) was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1d399f67-090e-444b-b75d-eed4b1780f08","created":"2022-09-26T18:42:16.844Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T18:42:16.844Z","description":"Monitor device application logs for firmware changes, although not all devices will produce such logs.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653","created":"2023-09-29T17:40:22.705Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:40:22.705Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57","created":"2023-09-27T13:22:26.752Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-27T13:25:35.597Z","description":"(Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335","created":"2021-04-13T12:28:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Ben Hunter and Fred Gutierrez July 2020","description":"Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ","url":"https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:46:56.223Z","description":"[EKANS](https://attack.mitre.org/software/S0605) performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. (Citation: Ben Hunter and Fred Gutierrez July 2020)","relationship_type":"uses","source_ref":"malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5","target_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1e6da55a-ab6c-4583-9e20-583f82096497","created":"2022-09-26T14:40:01.334Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:49:58.047Z","description":"Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM).","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T18:46:37.894Z","description":"Analyze network data for uncommon data flows (e.g., new protocols in use between hosts, unexpected ports in use). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. ","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e","created":"2023-09-28T21:12:25.345Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:12:25.345Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:56:06.055Z","description":"Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts. ","relationship_type":"detects","source_ref":"x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1f785984-791e-4612-be32-9ee6903a9c0b","created":"2022-09-28T20:26:09.928Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.433Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.(Citation: Wylie-22) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:34:32.554Z","description":"Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.","relationship_type":"detects","source_ref":"x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1f87378c-49fb-4da5-8ed3-3672633d3713","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.123Z","relationship_type":"mitigates","description":"Regularly scan the internal network for available services to identify new and potentially vulnerable services.\n","source_ref":"course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--1f8abf6f-0dd0-4449-b555-733fe7296177","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Jos Wetzels January 2018","description":"Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ","url":"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:24:19.351Z","description":"[Triton](https://attack.mitre.org/software/S1009) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. (Citation: Jos Wetzels January 2018)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.235Z","relationship_type":"mitigates","description":"Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Implement user accounts for each individual for enforcement and non-repudiation of actions.\n","source_ref":"course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8","created":"2023-09-29T17:09:59.595Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:09:59.595Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437","created":"2021-04-12T18:49:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Tom Fakterman August 2019","description":"Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ","url":"https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:03:36.379Z","description":"[REvil](https://attack.mitre.org/software/S0496) initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. (Citation: Tom Fakterman August 2019)","relationship_type":"uses","source_ref":"malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3","created":"2023-09-28T19:54:37.802Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:54:37.802Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459","created":"2022-09-23T16:35:17.240Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:34:31.627Z","description":"Consult asset management systems which may help with the detection of computer systems or network devices that should not exist on a network.","relationship_type":"detects","source_ref":"x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706","target_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2057ec71-a94f-49cc-b348-2eeb44899afd","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T18:40:20.312Z","description":"Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\\Windows\\System32). ","relationship_type":"detects","source_ref":"x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8","target_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--206cc4c8-797e-427b-86f1-4c81df391c6e","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.224Z","relationship_type":"mitigates","description":"Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","external_references":[{"source_name":"Karen Scarfone; Paul Hoffman September 2009","description":"Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ","url":"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"},{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"},{"source_name":"Dwight Anderson 2014","description":"Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b","created":"2023-03-30T19:26:19.782Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Industroyer2 Mandiant April 2022","description":"Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.","url":"https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks"},{"source_name":"Industroyer2 Forescout July 2022","description":"Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.","url":"https://www.forescout.com/resources/industroyer2-and-incontroller-report/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-06T22:09:28.674Z","description":"[Industroyer2](https://attack.mitre.org/software/S1072) can iterate across a device’s IOAs to modify the ON/OFF value of a given IO state.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)","relationship_type":"uses","source_ref":"malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5","target_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.094Z","relationship_type":"mitigates","description":"Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n","source_ref":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","target_ref":"attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20","external_references":[{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--208fe57b-cf2e-4188-8a6f-77597cd60351","created":"2023-09-29T17:44:43.317Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:44:43.317Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.084Z","relationship_type":"mitigates","description":"If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.\n","source_ref":"course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c","target_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--20f66fab-7a08-4707-ac79-92dac5acd11d","created":"2021-04-13T11:15:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016","description":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ","url":"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:00:13.772Z","description":"[PLC-Blaster](https://attack.mitre.org/software/S1006)'s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)","relationship_type":"uses","source_ref":"malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe","target_ref":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--21041206-da58-45c7-adb0-db07caebdcb6","created":"2021-04-13T12:36:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016","description":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ","url":"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:00:27.700Z","description":"[PLC-Blaster](https://attack.mitre.org/software/S1006) uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)","relationship_type":"uses","source_ref":"malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe","target_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--21058f32-3d6e-4381-9288-5c2248e84cce","created":"2023-09-29T18:44:27.240Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:44:27.240Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--21134484-2d59-46b7-b878-527121fff1e3","created":"2022-09-26T14:28:17.209Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:28:17.209Z","description":"Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4","created":"2023-09-28T19:44:53.873Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:44:53.873Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--21470001-67f2-47cf-af21-784e5024ac1d","created":"2023-09-29T18:01:22.023Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:01:22.023Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--214eb531-411c-4b90-9dbf-dc0183cbb919","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:34:19.403Z","description":"Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2159458f-87fc-4479-81f4-a2521a378221","created":"2023-09-28T21:22:09.790Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:22:09.790Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--21aa6331-3419-4049-b180-8349b71e1f2a","created":"2023-09-28T21:11:03.947Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:11:03.947Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.089Z","relationship_type":"mitigates","description":"Protect files stored locally with proper permissions to limit opportunities for adversaries to impact data storage. (Citation: National Institute of Standards and Technology April 2013)\n","source_ref":"course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971","target_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","external_references":[{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--220140ac-d927-4d86-9335-c04aa6ee3c61","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.126Z","relationship_type":"mitigates","description":"Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. (Citation: Keith Stouffer May 2015)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--22448288-32d9-4d2c-be16-0784e119fff1","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:26:11.066Z","description":"All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--22548926-29b4-4882-9878-633375489c0e","created":"2023-09-28T20:30:50.842Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:30:50.842Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2289f005-7863-4af5-b681-cdfc03d3f111","created":"2023-09-29T18:56:08.414Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:56:08.414Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ESET","description":"ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ","url":"https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:10:58.645Z","description":"[ACAD/Medre.A](https://attack.mitre.org/software/S1000) can collect AutoCad files with drawings. These drawings may contain operational information. (Citation: ESET)\n","relationship_type":"uses","source_ref":"malware--a4a98eab-b691-45d9-8c48-869ef8fefd57","target_ref":"attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--22ba5443-ea49-4076-a666-722eb5352f70","created":"2023-09-28T20:02:45.697Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:02:45.697Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--232c7049-7609-46a9-8bbe-38672713f853","created":"2023-09-28T21:15:32.371Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:15:32.371Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49","created":"2023-09-29T16:43:53.940Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:43:53.940Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--234da455-b795-4788-bc5d-22b4b58b2dc7","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.212Z","relationship_type":"mitigates","description":"Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--23851bda-49de-4f35-979f-c4e6b5742389","created":"2024-04-09T20:59:53.669Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:59:53.669Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Microsoft Security Response Center August 2017","description":"Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ","url":"https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/"},{"source_name":"Wikipedia","description":"Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ","url":"https://en.wikipedia.org/wiki/Control-flow_integrity"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T13:19:12.382Z","description":"Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n","relationship_type":"mitigates","source_ref":"course-of-action--49363b74-d506-4342-bd63-320586ebadb9","target_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.138Z","relationship_type":"mitigates","description":"Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n","source_ref":"course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401","target_ref":"attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2","external_references":[{"source_name":"A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004","description":"A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ","url":"https://www.icheme.org/media/9906/xviii-paper-23.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.169Z","relationship_type":"mitigates","description":"Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.\n","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07","created":"2023-09-28T20:25:47.357Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:25:47.357Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--245c8c36-28e5-4508-a585-7768cb33299a","created":"2023-03-10T20:06:10.209Z","revoked":false,"external_references":[{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-10T20:06:10.209Z","description":"In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the system over radio.(Citation: Marshall Abrams July 2008)","relationship_type":"uses","source_ref":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d","created":"2024-04-09T21:00:24.049Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T21:00:24.049Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--24885921-734f-46c1-85d7-3f79e0b886d6","created":"2023-09-27T14:51:18.262Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.257Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable. (Citation: Ukraine15 - EISAC - 201603)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5","created":"2023-09-29T17:07:55.738Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:07:55.738Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe","created":"2023-09-28T20:10:06.838Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:10:06.838Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--250212f0-a149-4a14-af83-94f7fcedc021","created":"2023-09-28T20:26:29.934Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:26:29.934Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--25281488-be20-4d83-89d1-1da7ea836037","created":"2023-09-29T17:40:47.898Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:40:47.898Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3","created":"2023-03-30T18:57:21.754Z","revoked":false,"external_references":[{"source_name":"Kevin Savage and Branko Spasojevic","description":"Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ","url":"https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T18:57:21.754Z","description":"[Flame](https://attack.mitre.org/software/S0143) has built-in modules to gather information from compromised computers. (Citation: Kevin Savage and Branko Spasojevic)","relationship_type":"uses","source_ref":"malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498","target_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--25e7ca82-2784-433a-90a9-a3483615a655","created":"2019-04-12T17:01:01.255Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye WannaCry 2017","description":"Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.","url":"https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html"},{"source_name":"SecureWorks WannaCry Analysis","description":"Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.","url":"https://www.secureworks.com/research/wcry-ransomware-analysis"},{"source_name":"FireEye APT38 Oct 2018","description":"FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.","url":"https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf"},{"source_name":"LogRhythm WannaCry","description":"Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.","url":"https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-08-26T16:33:33.986Z","description":"(Citation: FireEye APT38 Oct 2018)(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)","relationship_type":"uses","source_ref":"intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a","target_ref":"malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--26254163-4f25-4d30-8456-ca093459ff32","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:32:29.856Z","description":"Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. ","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d","created":"2022-09-26T16:16:21.749Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:16:21.749Z","description":"Monitor applications logs for any access attempts to operational databases (e.g., historians) or other sources of operational data within the ICS environment. These devices should be monitored for adversary collection using techniques relevant to the underlying technologies (e.g., Windows, Linux).","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7","created":"2023-03-10T20:34:25.450Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T22:05:00.124Z","description":"In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary disabled alarms at four pumping stations, preventing notifications to the central computer.(Citation: Marshall Abrams July 2008)","relationship_type":"uses","source_ref":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","target_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--26d68f5d-6ee5-4d98-b175-943366ccc038","created":"2020-10-14T21:33:27.046Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos October 2018","description":"Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ","url":"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T16:54:09.871Z","description":"[Sandworm Team](https://attack.mitre.org/groups/G0034) uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. (Citation: Dragos October 2018)","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--26e58427-a2bd-4e77-9939-16ef60a072e7","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T13:49:04.746Z","description":"Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n","relationship_type":"mitigates","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.170Z","relationship_type":"mitigates","description":"Restrict root or administrator access on user accounts to limit the ability to capture promiscuous traffic on a network through common packet capture tools. (Citation: National Institute of Standards and Technology April 2013)\n","source_ref":"course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5","target_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","external_references":[{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--274994e7-1fe9-463a-9979-46c72107bf9b","created":"2023-03-30T18:56:47.685Z","revoked":false,"external_references":[{"source_name":"ESET","description":"ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ","url":"https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T18:56:47.685Z","description":"[ACAD/Medre.A](https://attack.mitre.org/software/S1000) collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from infected systems. (Citation: ESET)","relationship_type":"uses","source_ref":"malware--a4a98eab-b691-45d9-8c48-869ef8fefd57","target_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--276aa6a6-e700-470a-8f72-02537ba7be9d","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.128Z","relationship_type":"mitigates","description":"Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n","source_ref":"course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--2867f491-919b-463f-b689-bb3ceb7ae99f","created":"2022-09-28T20:31:07.486Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos-Pipedream","description":"DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.","url":"https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en"},{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"},{"source_name":"Brubaker-Incontroller","description":"Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.","url":"https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.434Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to remotely connect to Schneider PLCs and perform maintenance functions on the device.(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use Telnet to upload payloads and execute commands on Omron PLCs.\t(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream) The malware can also use HTTP-based CGI scripts (e.g., cpu.fcgi, ecat.fcgi) to gain administrative access to the device.(Citation: Wylie-22) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad","created":"2023-09-29T18:05:32.443Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:05:32.443Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:10:43.996Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e","created":"2023-09-28T21:26:47.115Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:26:47.115Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--296375b0-817d-4f42-afe1-4308f5edf973","created":"2023-09-28T21:10:25.193Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:10:25.193Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2971151c-0e8a-4567-84dc-01cf5dd35005","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.199Z","relationship_type":"mitigates","description":"Digital signatures may be used to ensure application DLLs are authentic prior to execution.\n","source_ref":"course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a","target_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--29b85313-645b-4fb1-b5c2-f580d111760b","created":"2022-09-26T19:38:04.844Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:36:50.910Z","description":"Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \"0\" indicates LLMNR is disabled.","relationship_type":"detects","source_ref":"x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81","created":"2023-09-29T18:46:39.854Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:46:39.854Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2a451896-81aa-4eed-a444-4d04661adeeb","created":"2023-09-29T16:43:42.911Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:43:42.911Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe","created":"2023-09-28T19:38:46.361Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:38:46.361Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.127Z","relationship_type":"mitigates","description":"Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions.\n","source_ref":"course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433","target_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1","created":"2023-09-29T18:46:54.684Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:46:54.684Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2c79920a-f2d1-4114-a1df-924835da645c","created":"2023-09-28T19:53:00.672Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:53:00.672Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.071Z","relationship_type":"mitigates","description":"Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data.\n","source_ref":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","target_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.150Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919","created":"2022-09-27T16:30:41.482Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T16:30:41.482Z","description":"Monitor device management protocols for functions that modify programs such as online edit and program append events.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2","created":"2023-09-29T16:33:12.887Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:33:12.887Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:02:57.267Z","description":"Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.","relationship_type":"detects","source_ref":"x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f","target_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.126Z","relationship_type":"mitigates","description":"Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.\n","source_ref":"course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe","created":"2023-09-29T17:39:15.857Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:39:15.857Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2e0769d7-088e-45d5-a262-6dbc91a95073","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:51:31.992Z","description":"Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.","relationship_type":"detects","source_ref":"x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71","target_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a","created":"2023-09-28T19:40:51.425Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:40:51.425Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:10:53.087Z","description":"Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.220Z","relationship_type":"mitigates","description":"Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n","source_ref":"course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971","target_ref":"attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54","external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.173Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8","created":"2023-09-28T20:02:05.365Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:02:05.365Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f","created":"2023-09-27T14:47:29.337Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"},{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.258Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems. Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2f457bef-1721-4e0f-b236-24e4652a31b4","created":"2023-09-29T16:29:53.181Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:29:53.181Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.201Z","relationship_type":"mitigates","description":"Execution prevention may prevent malicious scripts from accessing protected resources.\n","source_ref":"course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.240Z","relationship_type":"mitigates","description":"Reduce the range of RF communications to their intended operating range when possible. Propagation reduction methods may include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n","source_ref":"course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e","target_ref":"attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72","external_references":[{"source_name":"DHS National Urban Security Technology Laboratory April 2019","description":"DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ","url":"https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd","created":"2024-04-09T21:02:56.157Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T21:02:56.157Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50","created":"2023-09-28T20:30:21.865Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:30:21.865Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-10-14T17:59:24.739Z","modified":"2022-05-06T17:47:24.226Z","relationship_type":"mitigates","description":"Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with. (Citation: National Institute of Standards and Technology April 2013)\n","source_ref":"course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc","target_ref":"attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9","external_references":[{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:11:26.196Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9","created":"2023-09-28T19:43:28.167Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:43:28.167Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2fe222c4-cc81-473d-956e-235e2961a5c3","created":"2023-09-29T17:04:26.769Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:04:26.769Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2ff82993-5010-4450-89e7-341f449f3263","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.092Z","relationship_type":"mitigates","description":"Consider periodic reviews of accounts and privileges for critical and sensitive repositories.\n","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2fffbea8-c031-4de8-a451-447bbbe3e224","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.201Z","relationship_type":"mitigates","description":"Consider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown.\n","source_ref":"course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--305866af-1f36-49e0-a57d-d5faaf29011c","created":"2023-09-28T20:34:52.740Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:34:52.740Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--309e4558-e591-4d03-9bb9-07d30acf011f","created":"2021-04-12T18:49:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"McAfee Labs October 2019","description":"McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:04:11.691Z","description":"[REvil](https://attack.mitre.org/software/S0496) searches for all processes listed in the prc field within its configuration file and then terminates each process. (Citation: McAfee Labs October 2019)","relationship_type":"uses","source_ref":"malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--31203165-79d0-42e5-81f1-62150dea2c43","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:16:37.643Z","description":"Monitor network data for uncommon data flows (e.g., time of day, unusual source/destination address) that may be related to abuse of [Valid Accounts](https://attack.mitre.org/techniques/T0859) to log into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--31897c41-1d47-4a34-b531-21c3f74651a8","created":"2021-04-13T11:15:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016","description":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ","url":"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:00:39.796Z","description":"[PLC-Blaster](https://attack.mitre.org/software/S1006) utilizes the PLC communication and management API to load executable Program Organization Units. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)","relationship_type":"uses","source_ref":"malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Eduard Kovacs March 2018","description":"Eduard Kovacs 2018, March 1 Five Threat Groups Target Industrial Systems: Dragos Retrieved. 2020/01/03 ","url":"https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos"},{"source_name":"Novetta Threat Research Group February 2016","description":"Novetta Threat Research Group 2016, February 24 Operation Blockbuster: Unraveling the Long Thread of the Sony Attack Retrieved. 2016/02/25 ","url":"https://web.archive.org/web/20220707091904/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-10-04T11:00:14.895Z","description":"[Lazarus Group](https://attack.mitre.org/groups/G0032) has been observed targeting organizations using spearphishing documents with embedded malicious payloads. (Citation: Novetta Threat Research Group February 2016) Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. (Citation: Eduard Kovacs March 2018)","relationship_type":"uses","source_ref":"intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a","created":"2023-10-02T20:18:11.933Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:18:11.933Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce","created":"2023-09-28T21:16:44.471Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:16:44.471Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--321fc522-bc6b-4975-bee4-9098624d1e8c","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:32:18.815Z","description":"Monitor for network traffic originating from unknown/unexpected devices or addresses. Local network traffic metadata could be used to identify unexpected connections, including unknown/unexpected source MAC addresses connecting to ports associated with operational protocols. Also, network management protocols such as DHCP and ARP may be helpful in identifying unexpected devices. ","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5","created":"2023-09-28T20:26:15.542Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:26:15.542Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--327916f7-fe5d-4858-adeb-f72f74c60c25","created":"2021-10-08T15:25:32.143Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:11:45.996Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) sends an SQL statement that creates a table and inserts a binary value into the table. The binary value is a hex string representation of the main Stuxnet DLL as an executable file (formed using resource 210) and an updated configuration data block. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b","created":"2023-09-28T21:21:07.833Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:21:07.833Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b","created":"2023-09-28T20:10:23.215Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:10:23.215Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--32d15d1a-04ba-4035-907a-e2871425e8d1","created":"2023-09-28T20:28:40.722Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:28:40.722Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.130Z","relationship_type":"mitigates","description":"Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected.\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--3334e647-fd5d-481d-a7f9-66f73911a57a","created":"2023-09-28T19:45:30.291Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:45:30.291Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.092Z","relationship_type":"mitigates","description":"Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices\n","source_ref":"course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65","target_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--337f366d-3d76-470c-8ee2-0e2252648282","created":"2024-03-25T20:19:43.390Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-25T20:19:43.390Z","description":"Disallow the execution of applications/programs which are not required for normal system functions, including any specific command-line arguments which may allow the execution of proxy commands or application binaries.","relationship_type":"mitigates","source_ref":"course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30","target_ref":"attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7","created":"2023-09-29T16:47:08.696Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:47:08.696Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5","created":"2023-09-29T18:07:41.540Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:07:41.540Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3439d550-61d5-40b4-a514-341509d3f701","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:08:28.052Z","description":"Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.","relationship_type":"detects","source_ref":"x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f","target_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3471632d-253d-469e-9e8c-3b291b4ae88a","created":"2023-09-28T21:14:15.274Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:14:15.274Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3478c49c-594b-4224-b7f9-2b0b09c67288","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.239Z","relationship_type":"mitigates","description":"Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications. (Citation: Bastille April 2017)\n","source_ref":"course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a","target_ref":"attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72","external_references":[{"source_name":"Bastille April 2017","description":"Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ","url":"https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-13T11:15:26.506Z","modified":"2022-05-06T17:47:24.156Z","relationship_type":"mitigates","description":"Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","external_references":[{"source_name":"IEC February 2019","description":"IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ","url":"https://webstore.iec.ch/publication/34421"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.168Z","relationship_type":"mitigates","description":"Segment networks and systems appropriately to reduce access to critical system and services communications.\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye TRITON","description":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.","url":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"},{"source_name":"DHS CISA February 2019","description":"DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ","url":"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-29T20:49:30.525Z","description":"[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon. (Citation: DHS CISA February 2019)\n\n[Triton](https://attack.mitre.org/software/S1009) was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.(Citation: FireEye TRITON)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--351e19c4-c16e-493a-9800-a433107aacf1","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"DHS CISA February 2019","description":"DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ","url":"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:24:36.935Z","description":"[Triton](https://attack.mitre.org/software/S1009) uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. (Citation: DHS CISA February 2019)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3526acc8-8834-4aaa-87a5-51e587360cf5","created":"2023-09-29T18:45:47.394Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:45:47.394Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--352ed52c-88ba-4731-a917-4c33da0f29d4","created":"2023-09-27T14:44:00.588Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Andy Greenberg June 2017","description":"Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023.","url":"https://www.wired.com/story/russian-hackers-attack-ukraine/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-27T15:19:15.124Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used an IT helpdesk software to move the mouse on ICS control devices to maliciously release electricity breakers. (Citation: Andy Greenberg June 2017)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T16:43:32.737Z","description":"Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.\n","relationship_type":"mitigates","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3618a010-b94b-4974-b1be-7630d5c853c1","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Robert Falcone, Bryan Lee May 2016","description":"Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ","url":"https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T16:31:19.923Z","description":"[OilRig](https://attack.mitre.org/groups/G0049) used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. (Citation: Robert Falcone, Bryan Lee May 2016)","relationship_type":"uses","source_ref":"intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4","created":"2022-05-11T16:22:58.808Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T15:55:14.211Z","description":"Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads. For added context on adversary procedures and background see [User Execution](https://attack.mitre.org/techniques/T1204) and applicable sub-techniques.","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--366a4cd1-aa95-4985-9d80-b45a2551e298","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.179Z","relationship_type":"mitigates","description":"Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d","created":"2023-09-28T20:29:27.153Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:29:27.153Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--37048032-b41d-47d8-9c73-7b706bef24d1","created":"2023-09-28T20:27:58.625Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:27:58.625Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be","created":"2023-09-28T21:13:36.185Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:13:36.185Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3731962f-64e7-4750-ac8b-40b97eef8725","created":"2023-09-29T16:41:15.943Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:41:15.943Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--374837a0-6109-4c95-bee6-893b25ac71cf","created":"2023-09-28T21:13:12.715Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:13:12.715Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:43:54.996Z","description":"Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--37abb3d5-24fc-4397-844e-07548d324729","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:32:20.552Z","description":"Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2","created":"2023-09-29T16:31:46.749Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:31:46.749Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--383e242a-72d4-4b40-8905-888595c34919","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kelly Jackson Higgins","description":"Kelly Jackson Higgins How a Manufacturing Firm Recovered from a Devastating Ransomware Attack Retrieved. 2019/11/03 ","url":"https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:20:20.608Z","description":"An enterprise resource planning (ERP) manufacturing server was lost to the [Ryuk](https://attack.mitre.org/software/S0446) attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open. (Citation: Kelly Jackson Higgins)","relationship_type":"uses","source_ref":"malware--a020a61c-423f-4195-8c46-ba1d21abba37","target_ref":"attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3843dcca-62a2-4224-9241-05f981fa880a","created":"2023-09-28T19:46:23.921Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:46:23.921Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:32:41.938Z","description":"Monitor for newly constructed files copied to or from removable media.","relationship_type":"detects","source_ref":"x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c","target_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--38bda770-c470-4358-a9ad-a5b39bec026b","created":"2023-09-29T16:28:28.550Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:28:28.550Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--39452123-574f-4f3a-95ec-a90170a3d7eb","created":"2023-10-02T20:20:44.850Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:20:44.850Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--399126a9-815d-4c3b-9d5e-f57d698ac742","created":"2023-09-28T19:40:36.023Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:40:36.023Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--39963a04-9675-4fa4-87ea-1b34145cc569","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Elastic - Koadiac Detection with EQL","description":"Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.","url":"https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:51:44.656Z","description":"Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--39e5a489-f557-4130-a285-e0a82f40685c","created":"2023-09-28T19:46:38.112Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:46:38.112Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584","created":"2023-09-28T19:40:21.763Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:40:21.763Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3a04717f-b74c-4096-b031-ee7115fdc3c9","created":"2024-03-28T14:29:30.576Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye TRITON Dec 2017","description":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.","url":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-10T15:00:39.020Z","description":"In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088)’ tool took one option from the command line, which was a single IP address of the target Triconex device.(Citation: FireEye TRITON Dec 2017)","relationship_type":"uses","source_ref":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","target_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974","created":"2023-09-29T18:56:47.109Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:56:47.110Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:23:59.758Z","description":"All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca","created":"2023-09-28T19:44:37.687Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:44:37.687Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3a7d1db3-9383-4171-8938-382e9b0375c6","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:36:37.304Z","description":"[BlackEnergy](https://attack.mitre.org/software/S0089) uses HTTP POST request to contact external command and control servers. (Citation: Booz Allen Hamilton)\n","relationship_type":"uses","source_ref":"malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4","target_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea","created":"2023-09-28T21:15:18.036Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:15:18.036Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:11:14.662Z","description":"Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.","relationship_type":"detects","source_ref":"x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f","target_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.237Z","relationship_type":"mitigates","description":"Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. (Citation: CISA March 2010) Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e","external_references":[{"source_name":"CISA March 2010","description":"CISA 2010, March 11 https://us-cert.cisa.gov/ncas/tips/ST05-003 Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/ncas/tips/ST05-003"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35","created":"2023-09-28T19:43:15.817Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:43:15.817Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3b6567a9-6213-4db4-a069-1a86b1098b63","created":"2021-04-13T12:08:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Microsoft Security Response Center August 2017","description":"Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ","url":"https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/"},{"source_name":"Wikipedia","description":"Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ","url":"https://en.wikipedia.org/wiki/Control-flow_integrity"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T13:18:50.929Z","description":"Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n","relationship_type":"mitigates","source_ref":"course-of-action--49363b74-d506-4342-bd63-320586ebadb9","target_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688","created":"2023-09-28T19:53:33.603Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:53:33.603Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2","created":"2023-10-02T20:22:15.907Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:22:15.908Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:52:05.598Z","description":"The name of the [Industroyer](https://attack.mitre.org/software/S0604) payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors execute a shell command commands. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.216Z","relationship_type":"mitigates","description":"Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n","source_ref":"course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:57:59.240Z","description":"Monitor for known proxy protocols (e.g., SOCKS, Tor, peer-to-peer protocols) and tool usage (e.g., Squid, peer-to-peer software) on the network that are not part of normal operations. Also monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3c341d13-938e-4535-ac75-10a79abc7017","created":"2022-05-11T16:22:58.808Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:46:17.575Z","description":"Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:11:30.678Z","description":"Monitor operational process data for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.","relationship_type":"detects","source_ref":"x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95","target_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a","created":"2021-04-13T12:45:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:12:08.899Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) calls system function blocks which are part of the operating system running on the PLC. Theyre used to execute system tasks, such as reading the system clock (SFC1) and generating data blocks on the fly. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T18:41:15.273Z","description":"Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a","created":"2023-09-28T21:26:11.506Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:26:11.506Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T19:19:04.853Z","description":"Monitor logon activity for unexpected or unusual access to devices from the Internet.","relationship_type":"detects","source_ref":"x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b","target_ref":"attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3d676c1b-2650-4599-8a57-790c55f9977d","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.109Z","relationship_type":"mitigates","description":"Minimize the exposure of API calls that allow the execution of code.\n","source_ref":"course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30","target_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3da977ab-c863-4e6f-a5b7-68173160da00","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.166Z","relationship_type":"mitigates","description":"Filter for protocols and payloads associated with firmware activation or updating activity.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--3db8d8d2-89bb-4241-afeb-9b9332aac78e","created":"2024-03-28T14:31:06.217Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye TEMP.Veles 2018","description":"FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.","url":"https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-10T15:00:51.312Z","description":"In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) used a publicly available PowerShell-based tool, WMImplant.(Citation: FireEye TEMP.Veles 2018)","relationship_type":"uses","source_ref":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d","created":"2022-09-30T15:28:37.614Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-30T15:28:37.614Z","description":"Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5","created":"2023-09-29T17:05:08.346Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:05:08.346Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1","created":"2023-09-29T16:44:16.391Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:44:16.391Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.214Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41","created":"2022-09-26T19:30:14.122Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:15:05.195Z","description":"Monitor DLL file events, specifically creation of these files as well as the loading of DLLs into processes specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.","relationship_type":"detects","source_ref":"x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3ed98d8c-de30-499e-9a62-eae0207519f4","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.092Z","relationship_type":"mitigates","description":"Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9","created":"2023-09-29T17:39:42.457Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:39:42.457Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.236Z","relationship_type":"mitigates","description":"Ensure wireless networks require the authentication of all devices, and that all wireless devices also authenticate network infrastructure devices (i.e., mutual authentication). For defense-in-depth purposes, utilize VPNs or ensure that application-layer protocols also authenticate the system or device. Use protocols that provide strong authentication (e.g., IEEE 802.1X), and enforce basic protections, such as MAC filtering, when stronger cryptographic techniques are not available.\n","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:40:51.224Z","description":"Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572","created":"2018-04-18T17:59:24.739Z","x_mitre_version":"1.0","external_references":[{"source_name":"Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015","url":"https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf","description":"Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01 "}],"x_mitre_deprecated":false,"revoked":false,"description":"The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. (Citation: Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015)","modified":"2022-08-11T13:23:12.321Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--083bb47b-02c8-4423-81a2-f9ef58572974","target_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe","created":"2023-09-28T21:17:18.201Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:17:18.201Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3fb86696-1d56-42d5-a73d-044a78b588fe","created":"2023-09-27T14:54:12.586Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-27T15:19:28.937Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult. (Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa","created":"2023-09-28T20:27:43.727Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:27:43.727Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542","created":"2023-09-29T18:57:32.665Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:57:32.665Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c","created":"2022-09-28T21:16:28.195Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.435Z","description":"The [INCONTROLLER](https://attack.mitre.org/software/S1045) PLCProxy module can add an IP route to the CODESYS gateway running on Schneider PLCs to allow it to route messages through the PLC to other devices on that network. This allows the malware to bypass firewall rules that prevent it from directly communicating with devices on the same network as the PLC.(Citation: Wylie-22)","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4","created":"2023-09-29T18:05:42.611Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:05:42.611Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--40f63b01-dc59-475d-826a-74f38c6e81b9","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T19:38:28.550Z","description":"Host-based implementations of this technique may utilize networking-based system calls or network utility commands (e.g., iptables) to locally intercept traffic. Monitor for relevant process creation events.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db","created":"2023-09-29T17:04:46.290Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:04:46.290Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--41a109dd-11d9-4840-a38b-088fc790f45a","created":"2024-03-25T20:17:27.552Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-25T20:17:27.552Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.145Z","relationship_type":"mitigates","description":"Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.160Z","relationship_type":"mitigates","description":"The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n","source_ref":"course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d","created":"2023-09-28T19:58:43.542Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:58:43.542Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-12T17:59:24.739Z","modified":"2022-05-06T17:47:24.187Z","relationship_type":"mitigates","description":"All communication sessions to remote services should be authenticated to prevent unauthorized access.\n","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--423271c0-04dc-42d0-8e27-fb0b6067e096","created":"2023-09-27T14:59:43.382Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"},{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.259Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), power breakers were opened which caused the operating companies to be unable to deliver power, and left thousands of businesses and households without power for around 6 hours. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--42508a8e-44d5-4af1-9e66-bace5fc94734","created":"2022-09-27T18:49:25.089Z","revoked":false,"external_references":[{"source_name":"University of Birmingham C2","description":"Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.","url":"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T18:49:25.089Z","description":"Monitor for mismatches between protocols and their expected ports (e.g., non-HTTP traffic on tcp:80). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.178Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.185Z","relationship_type":"mitigates","description":"Ensure permissions restrict project file access to only engineer and technician user groups and accounts.\n","source_ref":"course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971","target_ref":"attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b","created":"2023-09-28T19:58:54.450Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:58:54.450Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--43344cd7-5004-4dac-8b62-8899105fa265","created":"2023-09-29T18:47:20.334Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:47:20.334Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--433539bf-cb17-4de1-9c0f-e579b041514f","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos Inc. June 2017","description":"Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ","url":"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:16:26.262Z","description":"[Industroyer](https://attack.mitre.org/software/S0604) attempts to connect with a hardcoded internal proxy on TCP 3128 [default Squid proxy]. If established, the backdoor attempts to reach an external C2 server via the internal proxy. (Citation: Dragos Inc. June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4369da69-bb09-4cc8-8600-081a450f50e0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.120Z","relationship_type":"mitigates","description":"Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n","source_ref":"course-of-action--d0909119-2f71-4923-87db-b649881672d7","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:24:52.417Z","description":"Monitor device alarms for program downloads, although not all devices produce such alarms.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--43b11545-3b70-4284-a369-bed7a0de4fd0","created":"2024-03-27T19:52:07.502Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Mandiant-Sandworm-Ukraine-2022","description":"Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.","url":"https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-17T15:19:32.247Z","description":"During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilizes a Visual Basic script `lun.vbs` to execute `n.bat` which then executed the MicroSCADA `scilc.exe` command.(Citation: Mandiant-Sandworm-Ukraine-2022)","relationship_type":"uses","source_ref":"campaign--df8eb785-70f8-4300-b444-277ba849083d","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--43bdf580-b98f-49cf-92d5-3dac50450c86","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.214Z","relationship_type":"mitigates","description":"The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n","source_ref":"course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-13T12:36:26.506Z","modified":"2022-05-06T17:47:24.166Z","relationship_type":"mitigates","description":"Minimize the exposure of API calls that allow the execution of code.\n","source_ref":"course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30","target_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b","created":"2022-09-27T19:06:12.301Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T19:06:12.302Z","description":"A manipulated I/O image requires analyzing the application program running on the PLC for specific data block writes. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.","relationship_type":"detects","source_ref":"x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d","target_ref":"attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--44c857cf-7a4e-405a-87ca-7f6d79000589","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Department of Homeland Security October 2009","description":"Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-19T21:22:38.490Z","description":"Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n","relationship_type":"mitigates","source_ref":"course-of-action--ad12819e-3211-4291-b360-069f280cff0a","target_ref":"attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4508bdef-9528-47ae-804c-bc59d1e694e7","created":"2023-09-28T20:02:35.354Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:02:35.354Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--456ff399-4925-45d4-aa84-d930eae5348e","created":"2023-09-28T20:26:47.786Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:26:47.786Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f","created":"2023-10-02T20:22:02.539Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:22:02.539Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9","created":"2023-09-28T20:15:32.382Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:15:32.382Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--45ee1822-71e4-4d92-976d-306561b70555","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.106Z","relationship_type":"mitigates","description":"Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.073Z","relationship_type":"mitigates","description":"Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--4631bf49-da0b-4415-a226-112c99ff0f64","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T19:22:17.841Z","description":"Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.","relationship_type":"detects","source_ref":"x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--46332a77-2fd6-4033-96cf-6163172775ec","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.164Z","relationship_type":"mitigates","description":"Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n","source_ref":"course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--4653847b-c089-4435-9159-6f76353833f7","created":"2023-09-25T20:43:22.274Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:43:22.274Z","description":"All field controllers should restrict the modification of controller tasks to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.","relationship_type":"mitigates","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf","created":"2023-09-29T16:42:20.944Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:42:20.944Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--46798892-d849-43fe-8147-b40cc9da291e","created":"2023-09-28T19:42:29.359Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:42:29.359Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Hydro","description":"Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ","url":"https://www.hydro.com/en/media/on-the-agenda/cyber-attack/"},{"source_name":"Kevin Beaumont","description":"Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ","url":"https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:56:30.836Z","description":"While Norsk Hydro attempted to recover from a [LockerGoga](https://attack.mitre.org/software/S0372) infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity. (Citation: Kevin Beaumont)(Citation: Hydro)","relationship_type":"uses","source_ref":"malware--5af7a825-2d9f-400d-931a-e00eb9e27f48","target_ref":"attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9","created":"2024-03-25T20:17:59.424Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-25T20:17:59.424Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4768c731-3be9-44b8-a217-dfbececa57d9","created":"2023-09-29T18:06:22.868Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:06:22.868Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4","created":"2022-09-26T20:46:23.812Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:30:58.676Z","description":"Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. ","relationship_type":"detects","source_ref":"x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--47f15a06-8675-4698-833d-bd141ed9e755","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Microsoft Security Response Center August 2017","description":"Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ","url":"https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/"},{"source_name":"Wikipedia","description":"Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ","url":"https://en.wikipedia.org/wiki/Control-flow_integrity"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T13:18:32.118Z","description":"Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n","relationship_type":"mitigates","source_ref":"course-of-action--49363b74-d506-4342-bd63-320586ebadb9","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--483719ad-c973-4210-b059-14e87dbd45f8","created":"2023-09-28T19:49:43.417Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:49:43.417Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--48489baf-56c2-423e-964a-0a61688e4a19","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.224Z","relationship_type":"mitigates","description":"Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957","created":"2024-04-09T20:50:34.946Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:50:34.946Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.102Z","relationship_type":"mitigates","description":"Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--49242ea8-4813-49f7-8bd4-9668216cceeb","created":"2023-09-29T16:45:53.300Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:45:53.300Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4966e63c-ca05-466d-91f9-41d799a54471","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-12T18:59:17.429Z","modified":"2022-05-06T17:47:24.186Z","relationship_type":"mitigates","description":"Provide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs.\n","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--4981a944-b3ad-4d78-9881-a17d458e3422","created":"2023-09-28T20:01:30.138Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:01:30.138Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8","created":"2023-03-31T17:44:19.711Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos Crashoverride 2018","description":"Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.","url":"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-07T19:50:55.445Z","description":"During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: `cscript C:\\Backinfo\\ufn.vbs C:\\Backinfo\\101.dll C:\\Delta\\101.dll`(Citation: Dragos Crashoverride 2018)","relationship_type":"uses","source_ref":"campaign--aa73efef-1418-4dbe-b43c-87a498e97234","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:27:26.605Z","description":"All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-29T14:04:13.656Z","description":"Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent.","relationship_type":"detects","source_ref":"x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd","target_ref":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05","created":"2023-09-28T19:41:47.648Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:41:47.648Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4a7340fc-0eec-4459-a491-952d736b79ef","created":"2023-09-28T19:50:42.505Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:50:42.505Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198","created":"2023-09-28T21:09:50.956Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:09:50.956Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4b57e41c-246f-44b3-b259-1811d5275e10","created":"2022-09-26T15:16:32.057Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:16:32.057Z","description":"Consult asset management systems to understand expected alarm settings.","relationship_type":"detects","source_ref":"x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706","target_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596","created":"2023-09-28T21:24:51.818Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:24:51.818Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4b853b7c-bc55-4599-b88d-d08d651526c0","created":"2023-09-29T18:49:25.209Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:49:25.209Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e","created":"2023-03-31T17:45:09.659Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos Crashoverride 2018","description":"Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.","url":"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-07T17:51:39.294Z","description":"During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used MS-SQL access to a pivot machine, allowing code execution throughout the ICS network.(Citation: Dragos Crashoverride 2018)","relationship_type":"uses","source_ref":"campaign--aa73efef-1418-4dbe-b43c-87a498e97234","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12","created":"2023-09-28T19:59:23.856Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:59:23.856Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962","created":"2023-09-28T21:23:14.975Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:23:14.975Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Atlassian Confluence Logging","description":"Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.","url":"https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html"},{"source_name":"Microsoft SharePoint Logging","description":"Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.","url":"https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2"},{"source_name":"Sharepoint Sharing Events","description":"Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.","url":"https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:13:08.567Z","description":"Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.(Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource.(Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.(Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. ","relationship_type":"detects","source_ref":"x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5","target_ref":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7","created":"2023-09-28T20:27:04.841Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:27:04.841Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4","created":"2023-09-28T21:28:11.821Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:28:11.821Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e","created":"2022-09-28T21:21:58.641Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.435Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the HTTP CGI scripts on Omron PLCs to modify parameters on EtherCat connected servo drives.(Citation: Wylie-22) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5","created":"2023-09-29T18:02:38.399Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:02:38.399Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93","created":"2023-09-29T17:57:55.162Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:57:55.162Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9","created":"2023-09-28T20:09:53.108Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:09:53.108Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4f83cc15-274d-44c6-859f-e598e362e76e","created":"2023-09-27T14:55:55.381Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.260Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) opened live breakers via remote commands to the HMI, causing blackouts. (Citation: Ukraine15 - EISAC - 201603)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--502a0b7e-048a-468a-b888-e91fde47c6eb","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-12T18:59:17.429Z","modified":"2022-05-06T17:47:24.189Z","relationship_type":"mitigates","description":"Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","external_references":[{"source_name":"North America Transmission Forum December 2019","description":"North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ","url":"https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29","created":"2023-09-29T18:03:06.209Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:03:06.209Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5041e17d-6349-4589-8c61-7b43964b5f9b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-10-14T17:59:24.739Z","modified":"2022-05-06T17:47:24.227Z","relationship_type":"mitigates","description":"Integrity checking of transient assets can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. (Citation: Emerson Exchange) It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. (Citation: National Security Agency February 2016)\n","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9","external_references":[{"source_name":"Emerson Exchange","description":"Emerson Exchange Increase Security with TPM, Secure Boot, and Trusted Boot Retrieved. 2020/09/25 ","url":"https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot"},{"source_name":"National Security Agency February 2016","description":"National Security Agency 2016, February Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems Retrieved. 2020/09/25 ","url":"https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--50a2b289-7bce-405d-8515-c2b5424cce5c","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.090Z","relationship_type":"mitigates","description":"Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n","source_ref":"course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc","target_ref":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--50b3247a-ea71-455e-b299-f00666c05146","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:12:35.411Z","description":"In states 3 and 4 [Stuxnet](https://attack.mitre.org/software/S0603) sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--50c20664-75dc-451e-b026-67b1d309e4b5","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:16:50.062Z","description":"The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. (Citation: Anton Cherepanov, ESET June 2017) Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5131c799-517c-4bad-ba97-46ad7de956e7","created":"2023-09-28T21:17:06.233Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:17:06.233Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--51eb15a3-48af-470f-94c0-10f25b366d72","created":"2022-09-28T20:30:22.148Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos-Pipedream","description":"DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.","url":"https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en"},{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.436Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can establish a remote HTTP connection to change the operating mode of Omron PLCs.(Citation: Dragos-Pipedream)(Citation: Wylie-22) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.072Z","relationship_type":"mitigates","description":"Restrict unauthorized devices from accessing serial comm ports.\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59","created":"2022-09-26T17:08:21.214Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T17:08:21.214Z","description":"Monitor device communication patterns to identify irregular bulk transfers of data between the embedded ICS asset and other nodes within the network. Note these indicators are dependent on the profile of normal operations and the capabilities of the industrial automation protocols involved (e.g., partial program uploads).","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4","created":"2019-06-24T17:20:24.258Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Catalin Cimpanu April 2016","description":"Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ","url":"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:39:25.984Z","description":"A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. (Citation: Catalin Cimpanu April 2016)","relationship_type":"uses","source_ref":"malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55","target_ref":"attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c","created":"2023-09-29T16:40:18.760Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:40:18.760Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--520aad6a-2483-45bc-a172-2417137f6ca0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.143Z","relationship_type":"mitigates","description":"Utilize out-of-band communication to validate the integrity of data from the primary channel.\n","source_ref":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","target_ref":"attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-10T14:13:17.429Z","modified":"2022-05-06T17:47:24.188Z","relationship_type":"mitigates","description":"Enforce strong password requirements to prevent password brute force methods for lateral movement.\n","source_ref":"course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--523777f8-4780-4716-807c-08a67450b916","created":"2023-09-29T18:45:13.052Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:45:13.052Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--524ffb0f-40ae-4c97-a098-d14001fffa31","created":"2023-09-29T16:44:54.473Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:44:54.473Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0","created":"2024-04-09T20:58:49.397Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:58:49.397Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--52855d5d-e835-470f-a675-751c2779c861","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.140Z","relationship_type":"mitigates","description":"Utilize out-of-band communication to validate the integrity of data from the primary channel.\n","source_ref":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b","created":"2023-09-28T21:23:26.598Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:23:26.598Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.133Z","relationship_type":"mitigates","description":"Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n","source_ref":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","target_ref":"attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95","external_references":[{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--52e828db-58d0-443e-8d94-54d265d9606e","created":"2023-09-29T17:42:01.044Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:42:01.044Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.208Z","relationship_type":"mitigates","description":"Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","external_references":[{"source_name":"Karen Scarfone; Paul Hoffman September 2009","description":"Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ","url":"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"},{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"},{"source_name":"Dwight Anderson 2014","description":"Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--533bd747-2567-4c53-a10b-938734f8aeab","created":"2024-03-25T17:59:02.526Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye TRITON Dec 2017","description":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.","url":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"},{"source_name":"FireEye TEMP.Veles 2018","description":"FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.","url":"https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html"},{"source_name":"FireEye TRITON 2018","description":"Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.","url":"https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-10T15:07:55.592Z","description":"[TEMP.Veles](https://attack.mitre.org/groups/G0088) leveraged [Triton](https://attack.mitre.org/software/S1009) to interact and disrupt Triconex safety instrumented systems throughout this campaign.(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TRITON 2018)(Citation: FireEye TRITON Dec 2017)","relationship_type":"uses","source_ref":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","target_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016","description":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ","url":"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:01:00.053Z","description":"The execution on the PLC can be stopped by violating the cycle time limit. The [PLC-Blaster](https://attack.mitre.org/software/S1006) implements an endless loop triggering an error condition within the PLC with the impact of a DoS. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)","relationship_type":"uses","source_ref":"malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe","target_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--53a54e4a-2b38-4b0c-8f60-252a68767443","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:12:58.883Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a","created":"2023-03-30T14:08:23.251Z","revoked":false,"external_references":[{"source_name":"CISA June 2013","description":"CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/ncas/alerts/TA13-175A"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T14:08:23.251Z","description":"Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.(Citation: CISA June 2013)","relationship_type":"mitigates","source_ref":"course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65","target_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--53d7a78d-1431-49e8-944c-62c875e58a20","created":"2023-09-29T17:08:37.793Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:08:37.793Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5424e327-396f-4b07-94a3-408ffc915686","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos","description":"Dragos Allanite Retrieved. 2019/10/27 ","url":"https://dragos.com/resource/allanite/"},{"source_name":"ICS-CERT October 2017","description":"ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ","url":"https://www.us-cert.gov/ncas/alerts/TA17-293A"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T15:40:18.975Z","description":"[ALLANITE](https://attack.mitre.org/groups/G1000) has been identified to collect and distribute screenshots of ICS systems such as HMIs. (Citation: Dragos) (Citation: ICS-CERT October 2017)","relationship_type":"uses","source_ref":"intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae","target_ref":"attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd","created":"2023-09-29T17:44:32.341Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:44:32.341Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--544e996c-0bdc-42b2-91af-14c27d4213b9","created":"2023-09-28T21:09:23.185Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:09:23.185Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56","created":"2023-09-28T20:10:44.014Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:10:44.014Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b","created":"2023-03-30T19:24:38.022Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Industroyer2 Mandiant April 2022","description":"Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.","url":"https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T16:17:58.795Z","description":"[Industroyer2](https://attack.mitre.org/software/S1072) has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.(Citation: Industroyer2 Mandiant April 2022)","relationship_type":"uses","source_ref":"malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T17:07:49.346Z","description":"Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T19:18:27.480Z","description":"Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--55d1eaf7-c3cb-4ff9-8439-96f562d46259","created":"2024-03-25T20:19:19.219Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-29T14:07:21.029Z","description":"Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.","relationship_type":"detects","source_ref":"x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd","target_ref":"attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--55f3dd59-08be-4e23-a680-b6db7850b399","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:59:50.879Z","description":"Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.075Z","relationship_type":"mitigates","description":"Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","external_references":[{"source_name":"Karen Scarfone; Paul Hoffman September 2009","description":"Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ","url":"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"},{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"},{"source_name":"Dwight Anderson 2014","description":"Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--5677e801-bd49-404b-b54a-6b00da52530c","created":"2023-09-29T16:39:01.824Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:39:01.824Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--567acebd-4ba2-4723-a74d-514992321ccc","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:03:27.702Z","description":"Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.","relationship_type":"detects","source_ref":"x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95","target_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18","created":"2023-09-29T18:05:18.147Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:05:18.147Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Jos Wetzels January 2018","description":"Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ","url":"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:24:51.471Z","description":"[Triton](https://attack.mitre.org/software/S1009) would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. (Citation: Jos Wetzels January 2018)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0","created":"2022-09-29T14:28:08.703Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-29T14:28:08.703Z","description":"Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.","relationship_type":"mitigates","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f","created":"2023-09-27T14:48:05.715Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.261Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.199Z","relationship_type":"mitigates","description":"Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T16:33:10.450Z","description":"Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.","relationship_type":"detects","source_ref":"x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8","target_ref":"attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--577b53a0-44ff-4cc4-b571-455d61e596c0","created":"2023-09-28T20:27:17.431Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:27:17.431Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Department of Homeland Security October 2009","description":"Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-19T21:22:50.001Z","description":"Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n","relationship_type":"mitigates","source_ref":"course-of-action--ad12819e-3211-4291-b360-069f280cff0a","target_ref":"attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141","created":"2023-03-31T18:12:35.414Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ESET Industroyer","description":"Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"},{"source_name":"Dragos Crashoverride 2018","description":"Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.","url":"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-07T17:07:29.299Z","description":"Within the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Industroyer](https://attack.mitre.org/software/S0604) was used to target and disrupt the Ukrainian power grid substation components.(Citation: Dragos Crashoverride 2018)(Citation: ESET Industroyer)","relationship_type":"uses","source_ref":"campaign--aa73efef-1418-4dbe-b43c-87a498e97234","target_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5804ae3d-0daf-47a5-b026-d42878f55803","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.166Z","relationship_type":"mitigates","description":"This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.\n","source_ref":"course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433","target_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.086Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2","created":"2022-09-26T15:37:30.958Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:37:30.958Z","description":"Monitor for loss of network traffic which could indicate alarms are being suppressed. A loss of expected communications associated with network protocols used to communicate alarm events or process data could indicate this technique is being used. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.168Z","relationship_type":"mitigates","description":"Use multi-factor authentication wherever possible.\n","source_ref":"course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd","target_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba","created":"2023-09-28T19:38:03.976Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:38:03.976Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.145Z","relationship_type":"mitigates","description":"Utilize out-of-band communication to validate the integrity of data from the primary channel.\n","source_ref":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","target_ref":"attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1","created":"2023-09-28T20:27:33.713Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:27:33.713Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:17:25.451Z","description":"Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to login and may perform follow-on actions that spawn additional processes as the user.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.201Z","relationship_type":"mitigates","description":"Consider removal or disabling of programs and features which may be used to run malicious scripts (e.g., scripting language IDEs, PowerShell, visual studio).\n","source_ref":"course-of-action--d0909119-2f71-4923-87db-b649881672d7","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5914a482-dbb7-429d-96f3-77f0588ac12d","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.123Z","relationship_type":"mitigates","description":"Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n","source_ref":"course-of-action--d48b79b2-076d-483e-949c-0d38aa347499","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--591620d3-5549-49db-9080-43f86a68a590","created":"2021-04-13T12:08:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"DHS CISA February 2019","description":"DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ","url":"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:25:07.936Z","description":"[Triton](https://attack.mitre.org/software/S1009) leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges. (Citation: DHS CISA February 2019)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b","created":"2023-09-28T21:28:21.910Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:28:21.910Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8","created":"2023-09-29T17:09:25.690Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:09:25.690Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--59c65014-1fee-4c2e-9ece-9883159bbed2","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T19:16:20.286Z","description":"Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).","relationship_type":"detects","source_ref":"x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc","created":"2023-03-10T20:30:43.206Z","revoked":false,"external_references":[{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-10T20:30:43.206Z","description":"In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.(Citation: Marshall Abrams July 2008)","relationship_type":"uses","source_ref":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","target_ref":"attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:40:41.495Z","description":"Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.","relationship_type":"detects","source_ref":"x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e","target_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba","created":"2023-09-28T20:07:36.295Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:07:36.295Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.180Z","relationship_type":"mitigates","description":"All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--5b14c813-09e2-4709-ab42-94830cf9538c","created":"2023-09-29T18:42:39.876Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:42:39.876Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Daavid Hentunen, Antti Tikkanen June 2014","description":"Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ","url":"https://www.f-secure.com/weblog/archives/00002718.html"},{"source_name":"Kyle Wilhoit","description":"Kyle Wilhoit Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ICS Malware: Havex and Black Energy Retrieved. 2019/10/22 ","url":"https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:19:26.117Z","description":"Execution of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) relies on a user opening a trojanized installer attached to an email. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) (Citation: Kyle Wilhoit)","relationship_type":"uses","source_ref":"malware--083bb47b-02c8-4423-81a2-f9ef58572974","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.209Z","relationship_type":"mitigates","description":"Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.\n","source_ref":"course-of-action--3172222b-4983-43f7-8983-753ded4f13bc","target_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--5beda54d-cd1f-491b-a85e-d7618a0683ad","created":"2024-03-28T14:28:10.742Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye TRITON Dec 2017","description":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.","url":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-10T15:01:00.075Z","description":"In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) tripped a controller into a failed safe state, which caused an automatic shutdown of the plant, this resulted in a pause of plant operations for more than a week. Thereby impacting industrial processes and halting productivity.(Citation: FireEye TRITON Dec 2017)","relationship_type":"uses","source_ref":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","target_ref":"attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:39:05.432Z","description":"Provide the ability to verify the integrity and authenticity of changes to parameter values.\n","relationship_type":"mitigates","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016","description":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ","url":"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:01:18.283Z","description":"[PLC-Blaster](https://attack.mitre.org/software/S1006) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)","relationship_type":"uses","source_ref":"malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe","target_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5c61c8a2-bfff-43fb-8397-bff864413d74","created":"2023-09-29T17:06:09.673Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:06:09.673Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5c695f49-6c76-4818-88b6-4db2bf029e43","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T17:38:22.073Z","description":"Monitor for file creation in conjunction with other techniques (e.g., file transfers using [Remote Services](https://attack.mitre.org/techniques/T0886)).","relationship_type":"detects","source_ref":"x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.182Z","relationship_type":"mitigates","description":"Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.094Z","relationship_type":"mitigates","description":"System and process restarts should be performed when a timeout condition occurs.\n","source_ref":"course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53","target_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5d33de22-35b0-47fa-bc63-f984522340b7","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.068Z","relationship_type":"mitigates","description":"Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n","source_ref":"course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a","target_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T13:48:51.528Z","description":"Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n","relationship_type":"mitigates","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.201Z","relationship_type":"mitigates","description":"Audit the integrity of PLC system and application code functionality, such as the manipulation of standard function blocks (e.g., Organizational Blocks) that manage the execution of application logic programs. (Citation: IEC February 2019)\n","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","external_references":[{"source_name":"IEC February 2019","description":"IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ","url":"https://webstore.iec.ch/publication/34421"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.235Z","relationship_type":"mitigates","description":"Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128","created":"2021-04-12T18:49:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Tom Fakterman August 2019","description":"Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ","url":"https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:05:04.619Z","description":"[REvil](https://attack.mitre.org/software/S0496) searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. (Citation: Tom Fakterman August 2019)","relationship_type":"uses","source_ref":"malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5e324da5-0fee-4dac-b289-410d560e03e9","created":"2023-09-28T19:46:49.255Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:46:49.255Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb","created":"2023-09-28T20:16:28.582Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:16:28.582Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5f03ee5d-534c-454c-aae3-b41130b00286","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-13T12:08:26.506Z","modified":"2022-05-06T17:47:24.117Z","relationship_type":"mitigates","description":"Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n","source_ref":"course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea","target_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","external_references":[{"source_name":"Dan Goodin March 2017","description":"Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ","url":"https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0","created":"2023-09-25T20:49:49.605Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:49:49.605Z","description":"All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5ff26c96-c610-4669-b44e-d6318205be5a","created":"2023-09-29T16:43:28.841Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:43:28.841Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--600f0115-94e3-49bf-afa6-0180b3367b94","created":"2023-09-28T20:06:15.180Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:06:15.180Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--604a9bf0-81a3-425b-9005-779c4f0f749d","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.195Z","relationship_type":"mitigates","description":"Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.\n","source_ref":"course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce","target_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024","created":"2023-09-29T18:07:18.253Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:07:18.253Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--605f3853-b007-4134-8a2d-6a81a35e7676","created":"2023-09-29T18:48:05.559Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:48:05.559Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6067c069-8e93-4bf0-bb49-97538d55c3de","created":"2024-04-09T20:58:32.884Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:58:32.884Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6157408d-1eb3-4445-8d8a-14619458954f","created":"2022-09-27T15:26:40.297Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T15:26:40.297Z","description":"Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) may be helpful in identifying transient assets.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.199Z","relationship_type":"mitigates","description":"Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","external_references":[{"source_name":"Karen Scarfone; Paul Hoffman September 2009","description":"Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ","url":"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"},{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"},{"source_name":"Dwight Anderson 2014","description":"Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--61869a8e-d6da-478a-b770-47f97beae8b4","created":"2024-08-15T21:59:43.124Z","revoked":false,"external_references":[{"source_name":"NCSC CISA Cyclops Blink Advisory February 2022","description":"NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.","url":"https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-08-15T21:59:43.124Z","description":"[VPNFilter](https://attack.mitre.org/software/S1010) is associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) operations based on reporting on [VPNFilter](https://attack.mitre.org/software/S1010) replacement software, [Cyclops Blink](https://attack.mitre.org/software/S0687).(Citation: NCSC CISA Cyclops Blink Advisory February 2022)","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"malware--6108f800-10b8-4090-944e-be579f01263d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6258c355-677c-452d-b1fc-27767232437b","created":"2019-03-26T16:19:52.358Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Joe Slowik April 2019","description":"Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ","url":"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:58:23.141Z","description":"[NotPetya](https://attack.mitre.org/software/S0368) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)","relationship_type":"uses","source_ref":"malware--5719af9d-6b16-46f9-9b28-fb019541ddbb","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--62abe387-10a2-414b-881c-060b70db2157","created":"2023-09-28T20:08:39.992Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:08:39.992Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--62e818b8-38e6-42ff-9424-9a327332eb2a","created":"2022-09-29T20:02:37.671Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ESET Industroyer","description":"Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-17T15:22:56.606Z","description":"The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 component sends the domain-specific MMSgetNameList request to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604)'s OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604) IEC 60870-5-104 module includes a range mode to discover Information Object Addresses (IOAs) by enumerating through each.(Citation: ESET Industroyer)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--630eb861-eb37-4258-9dbd-87789df2257a","created":"2024-03-26T15:41:26.772Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T15:41:26.772Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--63323b12-86db-4b91-a701-90daf3f98f7c","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.122Z","relationship_type":"mitigates","description":"Segment networks and systems appropriately to reduce access to critical system and services communications.\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--63453d2f-30f6-40ab-b32c-506d940ecd20","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:25:01.756Z","description":"Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918)","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T16:53:22.510Z","description":"Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.","relationship_type":"detects","source_ref":"x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b","created":"2023-09-29T17:44:55.599Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:44:55.599Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a","created":"2021-04-13T11:15:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"DHS CISA February 2019","description":"DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ","url":"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"},{"source_name":"Jos Wetzels January 2018","description":"Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ","url":"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:25:29.480Z","description":"[Triton](https://attack.mitre.org/software/S1009)'s argument-setting and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. (Citation: DHS CISA February 2019) (Citation: Jos Wetzels January 2018)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3","created":"2023-09-29T16:43:05.495Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:43:05.495Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--642cae89-bb5c-46f3-9fea-8d747b930c35","created":"2023-03-10T20:11:10.018Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T22:03:14.174Z","description":"In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's affected rivers.(Citation: Marshall Abrams July 2008)","relationship_type":"uses","source_ref":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","target_ref":"attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--648c6649-5861-4b43-a7e5-a9665bafb576","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:17:15.157Z","description":"[Industroyer](https://attack.mitre.org/software/S0604) uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--64db6a39-64d2-4999-97d7-91c28c32f42e","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.101Z","relationship_type":"mitigates","description":"Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.198Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--652c1e77-cfea-4452-9762-5ba16f874119","created":"2023-09-29T17:58:42.002Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:58:42.002Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:49:07.316Z","description":"Monitor device alarms that indicate the devices has been placed into Firmware Update Mode, although not all devices produce such alarms.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6573327e-3757-424e-8570-04ffe7d5d0e2","created":"2023-09-27T14:53:25.385Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-27T15:22:13.576Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used port 443 to communicate with their C2 servers. (Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--65a45501-10de-46a2-89bf-03bbf17aba33","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.166Z","relationship_type":"mitigates","description":"Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--65aa5a0d-926c-4b04-9509-f66a99639877","created":"2023-09-29T17:41:34.892Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:41:34.892Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--65adbdda-7069-40ed-9825-b79ec87e4916","created":"2021-09-21T15:47:37.522Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CrowdStrike Carbon Spider August 2021","description":"Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.","url":"https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/"},{"source_name":"Microsoft Ransomware as a Service","description":"Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.","url":"https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"},{"source_name":"IBM Ransomware Trends September 2020","description":"Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.","url":"https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/"},{"source_name":"FBI Flash FIN7 USB","description":"The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.","url":"https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-04T20:49:01.034Z","description":"(Citation: IBM Ransomware Trends September 2020)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: FBI Flash FIN7 USB)(Citation: Microsoft Ransomware as a Service)","relationship_type":"uses","source_ref":"intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc","target_ref":"malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5","created":"2023-09-28T21:25:34.304Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:25:34.304Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2","created":"2023-10-02T20:18:54.267Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:18:54.267Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6603a100-d655-4e6b-8d38-73c11b89dde4","created":"2019-03-26T16:19:52.358Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Joe Slowik April 2019","description":"Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ","url":"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:58:42.847Z","description":"[NotPetya](https://attack.mitre.org/software/S0368) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)","relationship_type":"uses","source_ref":"malware--5719af9d-6b16-46f9-9b28-fb019541ddbb","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6637d8e6-6578-4d15-a993-d63ced4c4464","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.099Z","relationship_type":"mitigates","description":"Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--665587ee-1524-4334-9580-2b448c417542","created":"2023-03-30T19:26:07.209Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Industroyer2 Mandiant April 2022","description":"Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.","url":"https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks"},{"source_name":"Industroyer2 Forescout July 2022","description":"Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.","url":"https://www.forescout.com/resources/industroyer2-and-incontroller-report/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-06T22:09:44.559Z","description":"[Industroyer2](https://attack.mitre.org/software/S1072) modifies specified Information Object Addresses (IOAs) for specified Application Service Data Unit (ASDU) addresses to either the ON or OFF state.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)","relationship_type":"uses","source_ref":"malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5","target_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--66738beb-0a33-4d70-baec-8307b5b34f80","created":"2023-09-28T20:16:05.975Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:16:05.975Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6681bc38-0b55-4714-b690-c609956b40bf","created":"2022-09-28T20:27:33.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CISA-AA22-103A","description":"DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.","url":"https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"},{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.438Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can brute force password-based authentication to Schneider PLCs over the CODESYS protocol (UDP port 1740).(Citation: CISA-AA22-103A)\n\n [INCONTROLLER](https://attack.mitre.org/software/S1045) can perform brute force guessing of passwords to OPC UA servers using a predefined list of passwords.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d","created":"2023-03-10T20:32:02.472Z","revoked":false,"external_references":[{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-10T20:32:02.472Z","description":"In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed for changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.(Citation: Marshall Abrams July 2008)","relationship_type":"uses","source_ref":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","target_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--66af47d7-c430-4ac9-8020-fd79b7059037","created":"2022-09-28T20:28:03.422Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CISA-AA22-103A","description":"DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.","url":"https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"},{"source_name":"Dragos-Pipedream","description":"DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.","url":"https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en"},{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.440Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.(Citation: Dragos-Pipedream)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.(Citation: CISA-AA22-103A)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.(Citation: Wylie-22)","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702","created":"2023-09-29T17:43:31.956Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:43:31.956Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--66d637a0-4874-4b12-bd3a-b408acb06d26","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:53:54.118Z","description":"Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--66d8f3d7-68e0-48a0-a563-4746922080fc","created":"2024-04-09T20:48:46.756Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:48:46.756Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68","created":"2024-09-11T22:50:15.550Z","revoked":false,"external_references":[{"source_name":"Claroty Fuxnet 2024","description":"Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.","url":"https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-11T22:50:15.550Z","description":"[Fuxnet](https://attack.mitre.org/software/S1157) initial execution relied on accessing external remote services for victim environments.(Citation: Claroty Fuxnet 2024)","relationship_type":"uses","source_ref":"malware--931e2489-8078-4f9f-85b2-a9211950e75b","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--66f79019-d52c-46a6-b605-c2335d1d3d20","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:25:59.238Z","description":"[Industroyer](https://attack.mitre.org/software/S0604) has the capability to stop a service itself, or to login as a user and stop a service as that user. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--671043a9-337f-411a-9ca9-3112e897ab09","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.184Z","relationship_type":"mitigates","description":"Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd","created":"2023-09-29T18:02:52.119Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:02:52.119Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6795c92f-848f-488e-9c25-d240f99c9b34","created":"2023-09-28T21:23:39.333Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:23:39.333Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab","created":"2022-09-27T15:40:41.869Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"EyeofRa Detecting Hooking June 2017","description":"Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017.","url":"https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/"},{"source_name":"Zairon Hooking Dec 2006","description":"Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017.","url":"https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/"},{"source_name":"Microsoft Hook Overview","description":"Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.","url":"https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx"},{"source_name":"PreKageo Winhook Jul 2011","description":"Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.","url":"https://github.com/prekageo/winhook"},{"source_name":"Jay GetHooks Sept 2011","description":"Satiro, J. (2011, September 14). GetHooks. Retrieved December 12, 2017.","url":"https://github.com/jay/gethooks"},{"source_name":"Volatility Detecting Hooks Sept 2012","description":"Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.","url":"https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:43:36.888Z","description":"Monitor for API calls that can be used to install a hook procedure, such as the SetWindowsHookEx and SetWinEventHook functions.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)","relationship_type":"detects","source_ref":"x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e","target_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Jeff Jones May 2018","description":"Jeff Jones 2018, May 10 Dragos Releases Details on Suspected Russian Infrastructure Hacking Team ALLANITE Retrieved. 2020/01/03 ","url":"https://www.eisac.com/public-news-detail?id=115909"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T15:40:28.784Z","description":"[ALLANITE](https://attack.mitre.org/groups/G1000) utilized spear phishing to gain access into energy sector environments. (Citation: Jeff Jones May 2018)","relationship_type":"uses","source_ref":"intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--67ae8423-c401-4c11-93d3-0454c288d934","created":"2023-09-29T16:31:57.421Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:31:57.421Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--67dae594-4239-4756-a0bc-dee75de19e4c","created":"2023-09-29T17:07:14.259Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:07:14.259Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--67e11f38-9f68-4989-8de3-da65af52063e","created":"2023-03-30T19:24:54.896Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Industroyer2 ESET April 2022","description":"ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.","url":"https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"},{"source_name":"Industroyer2 Forescout July 2022","description":"Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.","url":"https://www.forescout.com/resources/industroyer2-and-incontroller-report/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-06T22:10:14.646Z","description":"[Industroyer2](https://attack.mitre.org/software/S1072) has the capability to poll a target device about its connection status, data transfer status, Common Address (CA), Information Object Addresses (IOAs), and IO state values across multiple priority levels.(Citation: Industroyer2 Forescout July 2022)(Citation: Industroyer2 ESET April 2022)","relationship_type":"uses","source_ref":"malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5","target_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.202Z","relationship_type":"mitigates","description":"Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n","source_ref":"course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--685249f9-e51a-4914-8b7f-09679e04198b","created":"2023-09-28T19:49:11.359Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:49:11.359Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--686cbd74-ef49-4e77-9599-21777d3a4738","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.174Z","relationship_type":"mitigates","description":"Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1","created":"2023-09-28T19:39:25.832Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:39:25.832Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6895e54e-3968-41a9-9013-a082cd46fa44","created":"2020-05-14T14:40:26.221Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Red Canary Hospital Thwarted Ryuk October 2020","description":"Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.","url":"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"},{"source_name":"DHS/CISA Ransomware Targeting Healthcare October 2020","description":"DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.","url":"https://us-cert.cisa.gov/ncas/alerts/aa20-302a"},{"source_name":"CrowdStrike Ryuk January 2019","description":"Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.","url":"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"},{"source_name":"FireEye KEGTAP SINGLEMALT October 2020","description":"Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.","url":"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"},{"source_name":"Microsoft Ransomware as a Service","description":"Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.","url":"https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"},{"source_name":"CrowdStrike Wizard Spider October 2020","description":"Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.","url":"https://www.crowdstrike.com/blog/wizard-spider-adversary-update/"},{"source_name":"Sophos New Ryuk Attack October 2020","description":"Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.","url":"https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/"},{"source_name":"Mandiant FIN12 Oct 2021","description":"Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.","url":"https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf"},{"source_name":"DFIR Ryuk 2 Hour Speed Run November 2020","description":"The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.","url":"https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/"},{"source_name":"DFIR Ryuk in 5 Hours October 2020","description":"The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.","url":"https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/"},{"source_name":"DFIR Ryuk's Return October 2020","description":"The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.","url":"https://thedfirreport.com/2020/10/08/ryuks-return/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-04T20:04:07.781Z","description":"(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)(Citation: Mandiant FIN12 Oct 2021)(Citation: Microsoft Ransomware as a Service)","relationship_type":"uses","source_ref":"intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7","target_ref":"malware--a020a61c-423f-4195-8c46-ba1d21abba37","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--68d30c45-766f-48b6-9405-0c969243332b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.214Z","relationship_type":"mitigates","description":"All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--6902da63-3b59-46f3-99e0-6008dd47ab70","created":"2022-09-27T15:33:16.221Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:38:13.560Z","description":"Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host’s GUI.","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:17:44.736Z","description":"Monitor ICS automation protocols for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many protocols provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--692324b4-064a-430c-8ffc-7f7acd537778","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Symantec","description":"Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ","url":"https://docs.broadcom.com/doc/w32-duqu-11-en"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:10:47.409Z","description":"[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data in information repositories, including the Infostealer 2 module that can access data from Windows Shares.(Citation: Symantec)","relationship_type":"uses","source_ref":"malware--68dca94f-c11d-421e-9287-7c501108e18c","target_ref":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--692ff921-c74d-40a4-ab31-879aba5f247a","created":"2023-09-29T16:42:01.287Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:42:01.287Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.218Z","relationship_type":"mitigates","description":"Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.\n","source_ref":"course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa","target_ref":"attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--69889c90-e6d0-4007-9078-2bfbd7c18a91","created":"2024-03-25T20:11:07.813Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CISA AA23-335A IRGC-Affiliated December 2023","description":"DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"},{"source_name":"Jamie Tarabay and Katrina Manson December 2023","description":"Jamie Tarabay and Katrina Manson. (2023, December 22). Iranian-Linked Hacks Expose Failure to Safeguard US Water System. Retrieved March 25, 2024.","url":"https://www.bloomberg.com/news/articles/2023-12-22/iranian-linked-hacks-expose-failure-to-safeguard-us-water-system"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:12:34.791Z","description":"During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) replaced the existing graphic on the [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002) with their own, thereby preventing PLC owners and operators from viewing PLC information on the HMI.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: Jamie Tarabay and Katrina Manson December 2023) ","relationship_type":"uses","source_ref":"campaign--8fda050f-470d-4401-994e-35c1a6c301de","target_ref":"attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7","created":"2021-04-13T11:15:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"IEC February 2019","description":"IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ","url":"https://webstore.iec.ch/publication/34421"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:36:26.282Z","description":"Provide the ability to verify the integrity of controller tasking. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n","relationship_type":"mitigates","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--69cf4015-fae1-47f6-9253-1f99209288a5","created":"2023-09-29T16:27:34.964Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:27:34.964Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820","created":"2023-09-29T17:44:19.135Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:44:19.135Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6a476f56-2c07-43be-8054-d978ee8eb924","created":"2023-09-29T16:42:12.160Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:42:12.160Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908","created":"2023-03-30T19:25:53.572Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Industroyer2 Mandiant April 2022","description":"Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.","url":"https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks"},{"source_name":"Industroyer2 Forescout July 2022","description":"Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.","url":"https://www.forescout.com/resources/industroyer2-and-incontroller-report/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-06T22:10:36.267Z","description":"[Industroyer2](https://attack.mitre.org/software/S1072) is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)","relationship_type":"uses","source_ref":"malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T18:41:05.273Z","description":"Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d","created":"2023-03-30T14:09:40.255Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T14:09:40.255Z","description":"Monitor for device alarms produced when device management passwords are changed, although not all devices will produce such alarms.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6ad39b3a-a962-457f-852c-be7fc615e22f","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Department of Homeland Security October 2009","description":"Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-19T21:23:00.355Z","description":"Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n","relationship_type":"mitigates","source_ref":"course-of-action--ad12819e-3211-4291-b360-069f280cff0a","target_ref":"attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72","created":"2023-09-29T16:31:22.789Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:31:22.789Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6b0e8f60-ecdf-4140-9741-5b50df67353c","created":"2024-03-25T20:06:37.050Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CISA AA23-335A IRGC-Affiliated December 2023","description":"DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"},{"source_name":"Lisa Zahner December 2023","description":"Lisa Zahner. (2023, December 15). Hackers in Iran attack computer at Vero Utilities. Retrieved March 25, 2024.","url":"https://veronews.com/2023/12/15/hackers-in-iran-attack-computer-at-vero-utilities/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:12:44.100Z","description":"During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) exploited devices connected to the public internet, such as internet connected Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) with [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002) and networking equipment such as cellular modems found in OT environments.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: Lisa Zahner December 2023)","relationship_type":"uses","source_ref":"campaign--8fda050f-470d-4401-994e-35c1a6c301de","target_ref":"attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6b54f354-9059-4366-8077-87360c4db2ab","created":"2023-10-02T20:18:20.019Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:18:20.019Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.147Z","relationship_type":"mitigates","description":"Only authorized personnel should be able to change settings for alarms.\n","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.101Z","relationship_type":"mitigates","description":"All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T16:44:06.211Z","description":"Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.","relationship_type":"detects","source_ref":"x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170","target_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6baa9172-04e4-416d-a009-668cda23fd5d","created":"2021-10-08T15:25:32.143Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-19T17:13:18.889Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell with the following command: `set @s = master..xp _ cmdshell extrac32 /y +@t+ +@t+x; exec(@s);` (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:40:22.279Z","description":"Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.","relationship_type":"detects","source_ref":"x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5","target_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee","created":"2022-09-29T14:26:04.715Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-29T14:26:04.715Z","description":"Monitor network traffic for hardcoded credential use in protocols that allow unencrypted authentication.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.089Z","relationship_type":"mitigates","description":"Utilize central storage servers for critical operations where possible (e.g., historians) and keep remote backups. For outstations, use local redundant storage for event recorders. Have backup control system platforms, preferably as hot-standbys to respond immediately to data destruction events. (Citation: National Institute of Standards and Technology April 2013)\n","source_ref":"course-of-action--ad12819e-3211-4291-b360-069f280cff0a","target_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","external_references":[{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--6bf14e79-3287-4b9e-b222-9d527530df1e","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:57:08.560Z","description":"Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows , or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6c15ec9f-2b48-419c-adc1-f989833f6187","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-10-14T17:59:24.739Z","modified":"2022-05-06T17:47:24.224Z","relationship_type":"mitigates","description":"Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.\n","source_ref":"course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7","target_ref":"attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--6c31c795-935a-41ad-8db1-d74430f4a553","created":"2023-09-29T18:56:59.151Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:56:59.151Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","target_ref":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4","created":"2023-09-28T20:09:36.756Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:09:36.756Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e","created":"2023-09-28T20:08:52.975Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:08:52.975Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.186Z","relationship_type":"mitigates","description":"All remote services should require strong authentication before providing user access.\n","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--6d822f86-5793-403a-b176-5d533f6b81b3","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Daavid Hentunen, Antti Tikkanen June 2014","description":"Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ","url":"https://www.f-secure.com/weblog/archives/00002718.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:19:43.236Z","description":"The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through trojanized installers planted on compromised vendor sites. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)","relationship_type":"uses","source_ref":"malware--083bb47b-02c8-4423-81a2-f9ef58572974","target_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5","created":"2023-03-10T20:35:16.772Z","revoked":false,"external_references":[{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-10T20:35:16.772Z","description":"In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)","relationship_type":"uses","source_ref":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","target_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.220Z","relationship_type":"mitigates","description":"Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--6e7e6dfa-99ed-4cf1-b836-16ad0ae0924b","created":"2024-03-25T20:18:44.670Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-25T20:18:44.670Z","description":"Monitor executed commands and associated arguments for application programs which support executing custom code, scripts, commands, or executables. ","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6eaf727c-fec3-4e63-8852-eee27c44d596","created":"2022-09-27T15:23:19.486Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:47:06.144Z","description":"Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.","relationship_type":"detects","source_ref":"x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f","created":"2024-03-26T15:42:22.024Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T15:42:22.024Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6ed07095-c23a-4676-807f-a544deaeb274","created":"2021-04-12T18:49:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"McAfee Labs October 2019","description":"McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us"},{"source_name":"SecureWorks September 2019","description":"SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ","url":"https://www.secureworks.com/research/revil-sodinokibi-ransomware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:05:35.788Z","description":"[REvil](https://attack.mitre.org/software/S0496) sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. (Citation: McAfee Labs October 2019) (Citation: SecureWorks September 2019)","relationship_type":"uses","source_ref":"malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5","target_ref":"attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.069Z","relationship_type":"mitigates","description":"Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf","created":"2023-09-29T17:41:50.116Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:41:50.116Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.112Z","relationship_type":"mitigates","description":"Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n","source_ref":"course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e","target_ref":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--6f2ddada-d7df-4788-b5d1-9add185142e0","created":"2023-09-28T20:02:57.330Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:02:57.330Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e","created":"2023-09-28T21:27:14.172Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:27:14.172Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6f950c91-125b-46a0-aa40-239b4de2306a","created":"2023-09-28T21:14:03.305Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:14:03.305Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd","created":"2024-09-11T23:00:00.833Z","revoked":false,"external_references":[{"source_name":"Claroty Fuxnet 2024","description":"Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.","url":"https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-11T23:00:00.833Z","description":"[Fuxnet](https://attack.mitre.org/software/S1157) repeatedly wrote arbitrary data over the Meter-Bus channel from impacted devices to connected sensors to render sensor data acquisition useless.(Citation: Claroty Fuxnet 2024)","relationship_type":"uses","source_ref":"malware--931e2489-8078-4f9f-85b2-a9211950e75b","target_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016","description":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ","url":"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:01:38.884Z","description":"[PLC-Blaster](https://attack.mitre.org/software/S1006) may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)","relationship_type":"uses","source_ref":"malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe","target_ref":"attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7","created":"2023-03-30T19:25:22.673Z","revoked":false,"external_references":[{"source_name":"Industroyer2 Forescout July 2022","description":"Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.","url":"https://www.forescout.com/resources/industroyer2-and-incontroller-report/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:25:22.673Z","description":"[Industroyer2](https://attack.mitre.org/software/S1072) leverages a hardcoded list of remote-station IP addresses to iteratively initiate communications and collect information across multiple priority IEC-104 priority levels.(Citation: Industroyer2 Forescout July 2022)","relationship_type":"uses","source_ref":"malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5","target_ref":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--70113c21-85f2-4232-8755-233f93864277","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T19:17:12.033Z","description":"Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).","relationship_type":"detects","source_ref":"x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7041d8e5-3b74-402a-86b3-fd59def80632","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.135Z","relationship_type":"mitigates","description":"Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n","source_ref":"course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd","target_ref":"attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb","external_references":[{"source_name":"M. Rentschler and H. Heine","description":"M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ","url":"https://ieeexplore.ieee.org/document/6505877"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"DHS CISA February 2019","description":"DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ","url":"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:25:44.864Z","description":"[Triton](https://attack.mitre.org/software/S1009) communicates with Triconex controllers using a custom component framework written entirely in Python. The modules that implement the TriStation communication protocol and other supporting components are found in a separate file -- library.zip -- the main script that employs this functionality is compiled into a standalone py2exe Windows executable -- trilog.exe which includes a Python environment. (Citation: DHS CISA February 2019)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--70a9010c-6943-4274-b854-50901c3e5a0e","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:23:29.885Z","description":"Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:29:38.448Z","description":"Monitor network traffic for default credential use in protocols that allow unencrypted authentication.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--71422483-33e4-4131-a4ec-40322d91d8a0","created":"2019-06-24T17:20:24.258Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Catalin Cimpanu April 2016","description":"Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ","url":"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"},{"source_name":"Symantec June 2015","description":"Symantec 2015, June 30 Simple steps to protect yourself from the Conficker Worm Retrieved. 2019/12/05 ","url":"https://support.symantec.com/us/en/article.tech93179.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-17T15:38:28.233Z","description":"[Conficker](https://attack.mitre.org/software/S0608) exploits Windows drive shares. Once it has infected a computer, [Conficker](https://attack.mitre.org/software/S0608) automatically copies itself to all visible open drive shares on other computers inside the network. (Citation: Symantec June 2015) Nuclear power plant officials suspect someone brought in [Conficker](https://attack.mitre.org/software/S0608) by accident on a USB thumb drive, either from home or computers found in the power plant's facility. (Citation: Catalin Cimpanu April 2016)","relationship_type":"uses","source_ref":"malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55","target_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977","created":"2023-09-28T19:55:37.459Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:55:37.459Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.228Z","relationship_type":"mitigates","description":"Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.\n","source_ref":"course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T16:44:01.639Z","description":"To protect against AiTM, authentication mechanisms should not send credentials across the network in plaintext and should also implement mechanisms to prevent replay attacks (such as nonces or timestamps). Challenge-response based authentication techniques that do not directly send credentials over the network provide better protection from AiTM.\n","relationship_type":"mitigates","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3","created":"2024-09-11T23:00:48.583Z","revoked":false,"external_references":[{"source_name":"Claroty Fuxnet 2024","description":"Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.","url":"https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-11T23:00:48.583Z","description":"[Fuxnet](https://attack.mitre.org/software/S1157) impaired sensor communication to impacted devices resulting in a loss of view condition for overall system monitoring.(Citation: Claroty Fuxnet 2024)","relationship_type":"uses","source_ref":"malware--931e2489-8078-4f9f-85b2-a9211950e75b","target_ref":"attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7258c355-677c-452d-b1fc-27767232437b","created":"2019-03-26T16:19:52.358Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019","description":"David Voreacos, Katherine Chinglinsky, Riley Griffin 2019, December 03 Merck Cyberattacks $1.3 Billion Question: Was It an Act of War? Retrieved. 2019/12/06 ","url":"https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:59:02.909Z","description":"[NotPetya](https://attack.mitre.org/software/S0368) disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines. (Citation: David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019)","relationship_type":"uses","source_ref":"malware--5719af9d-6b16-46f9-9b28-fb019541ddbb","target_ref":"attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--72bfda0b-31e9-4958-8d40-6efe816d9989","created":"2022-09-27T15:32:03.332Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:33:47.681Z","description":"Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.","relationship_type":"detects","source_ref":"x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e","target_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--730580d4-d68c-407f-9d09-f379e9aefc7e","created":"2023-03-30T19:25:41.475Z","revoked":false,"external_references":[{"source_name":"Industroyer2 Forescout July 2022","description":"Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.","url":"https://www.forescout.com/resources/industroyer2-and-incontroller-report/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:25:41.475Z","description":"[Industroyer2](https://attack.mitre.org/software/S1072) uses a General Interrogation command to monitor the device’s Information Object Addresses (IOAs) and their IO state values.(Citation: Industroyer2 Forescout July 2022)","relationship_type":"uses","source_ref":"malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5","target_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--73093c08-ea39-4956-8bff-55e15f6630cd","created":"2023-09-28T20:07:59.785Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:07:59.785Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos","description":"Dragos Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 Magnallium Retrieved. 2019/10/27 ","url":"https://dragos.com/resource/magnallium/"},{"source_name":"Symantec March 2019","description":"Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 ","url":"https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T15:42:15.944Z","description":"[APT33](https://attack.mitre.org/groups/G0064) utilized PowerShell scripts to establish command and control and install files for execution. (Citation: Symantec March 2019) (Citation: Dragos)","relationship_type":"uses","source_ref":"intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--73a48431-3597-4a72-acb8-c1e5019073e2","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Twitter ItsReallyNick Masquerading Update","description":"Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.","url":"https://x.com/ItsReallyNick/status/1055321652777619457"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-12T19:30:45.065Z","description":"Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.(Citation: Twitter ItsReallyNick Masquerading Update)","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148","created":"2024-03-25T20:17:16.271Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-25T20:17:16.271Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--740082b7-2411-473a-a59d-4d46cf12f8b5","created":"2023-09-29T18:45:01.516Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:45:01.516Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7411b05d-209a-4907-83ce-00ab1538fbac","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.084Z","relationship_type":"mitigates","description":"Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n","source_ref":"course-of-action--3172222b-4983-43f7-8983-753ded4f13bc","target_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","external_references":[{"source_name":"Gardiner, J., Cova, M., Nagaraja, S February 2014","description":"Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ","url":"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7","created":"2023-09-29T17:57:23.090Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:57:23.090Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"MDudek-ICS","description":"MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ","url":"https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:26:26.552Z","description":"[Triton](https://attack.mitre.org/software/S1009) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. (Citation: MDudek-ICS)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--74ec9ce5-3155-488c-ae56-570c47a1d207","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-13T12:45:26.506Z","modified":"2022-05-06T17:47:24.194Z","relationship_type":"mitigates","description":"ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n","source_ref":"course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a","target_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","external_references":[{"source_name":"D. Parsons and D. Wylie September 2019","description":"D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ","url":"https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/"},{"source_name":"Colin Gray","description":"Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ","url":"https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901"},{"source_name":"Josh Rinaldi April 2016","description":"Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ","url":"https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/"},{"source_name":"Aditya K Sood July 2019","description":"Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ","url":"https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/"},{"source_name":"Langner November 2018","description":"Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ","url":"https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.080Z","relationship_type":"mitigates","description":"Execution prevention may block malicious software from accessing protected resources through the command line interface.\n","source_ref":"course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30","target_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--754521fc-4306-4daa-831b-6b6fb45847e2","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.108Z","relationship_type":"mitigates","description":"All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls. (Citation: MITRE June 2020)\n","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","external_references":[{"source_name":"MITRE June 2020","description":"MITRE 2020, June CWE CATEGORY: 7PK - API Abuse Retrieved. 2020/09/25 ","url":"https://cwe.mitre.org/data/definitions/227.html"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--7584e57f-1258-4c47-b18d-99019a586e6c","created":"2023-09-28T21:16:35.382Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:16:35.382Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--758773e3-d23d-44db-b5d3-643cde5b41f1","created":"2023-09-28T19:45:07.511Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:45:07.511Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--758d5818-f919-4a6b-9dc2-a212595a11bd","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T13:49:30.320Z","description":"Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n","relationship_type":"mitigates","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--75a60046-c4d7-498a-b256-9a93b5992dcc","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:55:46.014Z","description":"Monitor for unusual processes with internal network connections creating files on-system which may be suspicious. ","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48","created":"2023-09-29T17:06:33.098Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:06:33.098Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--75e6adae-06a7-47e9-878e-74ca73004c3b","created":"2023-09-28T20:30:01.641Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:30:01.641Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--76537fd7-5782-4a8d-9b54-117b168a4306","created":"2023-09-29T16:38:51.155Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:38:51.155Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T19:36:51.486Z","description":"Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware. For added context on adversary procedures and background see [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) and applicable sub-techniques.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--77566f94-5e26-41c9-892f-2f62b395afe7","created":"2023-09-28T20:01:43.057Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:01:43.057Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--77821dbb-367e-455f-bcae-b87412e88f1b","created":"2022-09-26T16:56:53.939Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:56:53.940Z","description":"Monitor asset management systems for device configuration changes which can be used to understand expected parameter settings.","relationship_type":"detects","source_ref":"x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706","target_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--77f3a64d-227d-487f-8484-89007e05b59f","created":"2023-09-28T21:16:14.153Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:16:14.153Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--78881a3d-59ad-4fbb-8bd2-69388a068584","created":"2023-09-29T18:01:45.518Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:01:45.518Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631","created":"2023-09-28T21:09:33.225Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:09:33.225Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--78972893-5d8c-480f-a05d-481adc0c8bb0","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:12:25.316Z","description":"Monitor ICS automation network protocols for functions related to reading an asset’s operating mode. In some cases, there may be multiple ways to detect a device’s operating mode, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7912946d-1605-465a-a55c-36bb104235ab","created":"2022-09-27T16:08:53.157Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T16:08:53.157Z","description":"Monitor device alarms that indicate the program has changed, although not all devices produce such alarms.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--792324b4-064a-430c-8ffc-7f7acd537778","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Symantec","description":"Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ","url":"https://docs.broadcom.com/doc/w32-duqu-11-en"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:44:27.955Z","description":"[Duqu](https://attack.mitre.org/software/S0038)'s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.(Citation: Symantec)","relationship_type":"uses","source_ref":"malware--68dca94f-c11d-421e-9287-7c501108e18c","target_ref":"attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--79235599-e23f-43cb-9c56-1eb22b7c4664","created":"2023-09-29T16:38:38.201Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:38:38.201Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--79324bdd-cdab-4d0a-af60-af1047c1d117","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:25:35.287Z","description":"All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--79407d1e-8e16-48c1-939c-ad92f91dd988","created":"2023-09-29T16:30:19.141Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:30:19.141Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--798919d3-df8b-463f-b2be-4c1aa8089384","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-10-14T17:59:24.739Z","modified":"2022-05-06T17:47:24.226Z","relationship_type":"mitigates","description":"Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9","external_references":[{"source_name":"North America Transmission Forum December 2019","description":"North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ","url":"https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--798de2f3-218b-4622-a62c-84e3840d45a6","created":"2023-09-29T18:00:10.845Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:00:10.845Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19","created":"2023-09-29T16:32:22.510Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:32:22.510Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--79d05cb2-ded0-4847-b52e-af7af421f303","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kevin Savage and Branko Spasojevic","description":"Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ","url":"https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:50:07.974Z","description":"[Flame](https://attack.mitre.org/software/S0143) can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information. (Citation: Kevin Savage and Branko Spasojevic)","relationship_type":"uses","source_ref":"malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498","target_ref":"attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4","created":"2022-05-11T16:22:58.808Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:46:05.831Z","description":"Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe). ","relationship_type":"detects","source_ref":"x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Hydro","description":"Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ","url":"https://www.hydro.com/en/media/on-the-agenda/cyber-attack/"},{"source_name":"Kevin Beaumont","description":"Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ","url":"https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:56:48.612Z","description":"Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of view which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)","relationship_type":"uses","source_ref":"malware--5af7a825-2d9f-400d-931a-e00eb9e27f48","target_ref":"attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978","created":"2022-09-26T14:29:33.111Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:29:33.111Z","description":"Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).","relationship_type":"detects","source_ref":"x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170","target_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.157Z","relationship_type":"mitigates","description":"Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0","created":"2023-09-29T16:33:23.456Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:33:23.456Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780","created":"2023-09-28T19:45:42.727Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:45:42.727Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b","created":"2023-09-29T17:39:54.089Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:39:54.089Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7bb1dbec-7314-479a-9496-86f8e25041eb","created":"2023-09-29T16:40:43.415Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:40:43.416Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07","created":"2023-09-29T18:49:01.768Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:49:01.768Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84","created":"2023-09-28T20:07:15.553Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:07:15.553Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07","created":"2023-03-31T17:45:32.860Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos Crashoverride 2018","description":"Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.","url":"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-07T16:12:03.917Z","description":"During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.(Citation: Dragos Crashoverride 2018)","relationship_type":"uses","source_ref":"campaign--aa73efef-1418-4dbe-b43c-87a498e97234","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea","created":"2023-09-28T20:07:01.309Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:07:01.309Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.084Z","relationship_type":"mitigates","description":"Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c","created":"2022-09-29T01:37:13.671Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"},{"source_name":"Brubaker-Incontroller","description":"Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.","url":"https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.441Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to download programs to Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.080Z","relationship_type":"mitigates","description":"Consider removing or restricting features that are unnecessary to an asset's intended function within the control environment.\n","source_ref":"course-of-action--d0909119-2f71-4923-87db-b649881672d7","target_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd","created":"2022-09-27T15:27:00.387Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T15:27:00.387Z","description":"Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7c329018-b591-42c4-8806-4d02ccd47476","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:55:36.262Z","description":"Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files.","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:26:34.069Z","description":"[Industroyer](https://attack.mitre.org/software/S0604) toggles breakers to the open state utilizing unauthorized command messages. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23","created":"2023-09-29T18:48:29.126Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:48:29.126Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95","created":"2022-09-27T17:22:27.241Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-29T14:05:12.676Z","description":"Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.","relationship_type":"detects","source_ref":"x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd","target_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7c893581-c847-495a-aa93-9d98c516e1ae","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:13:43.688Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603)'s infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7cd47eb6-e73a-4a0b-a62e-7e066090b804","created":"2024-03-27T19:55:40.243Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Mandiant-Sandworm-Ukraine-2022","description":"Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.","url":"https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-17T15:20:07.527Z","description":"During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used the MicroSCADA SCIL-API to specify a set of SCADA instructions, including the sending of unauthorized commands to substation devices.(Citation: Mandiant-Sandworm-Ukraine-2022)","relationship_type":"uses","source_ref":"campaign--df8eb785-70f8-4300-b444-277ba849083d","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.072Z","relationship_type":"mitigates","description":"Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable.\n","source_ref":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","target_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--7d2db896-3051-483c-bc53-ca21832ee085","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:47:23.983Z","description":"Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:39:20.443Z","description":"Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7d42ba22-9595-4463-8dda-c0e47a154fed","created":"2023-09-28T20:07:48.301Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:07:48.301Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7d5759cd-890e-4ec5-b92b-aba225d52960","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T13:49:40.767Z","description":"Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n","relationship_type":"mitigates","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:14:40.227Z","description":"Monitor executed commands and arguments to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may then perform these actions using [Valid Accounts](https://attack.mitre.org/techniques/T0859).","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:29:53.545Z","description":"Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7d752615-33f0-44ed-a156-25d84f384e75","created":"2023-09-27T14:57:11.627Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.261Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), power company phone line operators were hit with a denial of service attack so that they couldn’t field customers’ calls about outages. Operators were also denied service to their downstream devices when their serial-to-ethernet converters had their firmware overwritten, which bricked the devices. (Citation: Ukraine15 - EISAC - 201603)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:54:12.966Z","description":"Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) and [System Network Connections Discovery](https://attack.mitre.org/techniques/T1049).","relationship_type":"detects","source_ref":"x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e","target_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7db9687b-7099-4cb6-a040-bc32fc549a81","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.195Z","relationship_type":"mitigates","description":"Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b","created":"2024-04-09T20:53:54.209Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:53:54.209Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7dedeb73-ef90-4282-a635-cc37326773af","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.083Z","relationship_type":"mitigates","description":"Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n","source_ref":"course-of-action--3172222b-4983-43f7-8983-753ded4f13bc","target_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","external_references":[{"source_name":"Gardiner, J., Cova, M., Nagaraja, S February 2014","description":"Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ","url":"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--7e87ce08-a428-4e55-876e-80d2760121a5","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:37:35.099Z","description":"Monitor executed commands and arguments for actions that could be taken to collect internal data.","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858","created":"2023-09-29T16:32:46.335Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:32:46.335Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706","created":"2023-09-28T20:28:16.122Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:28:16.122Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7","created":"2023-09-29T17:43:22.756Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:43:22.756Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T18:40:55.168Z","description":"Monitor for application logging, messaging, and/or other artifacts that may result from Denial of Service (DoS) attacks which degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3","created":"2022-09-26T15:24:07.122Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:24:07.122Z","description":"Monitor asset application logs which may provide information about requests for points or tags. Look for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many devices provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.071Z","relationship_type":"mitigates","description":"Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.152Z","relationship_type":"mitigates","description":"Limit privileges of user accounts and groups so that only designated administrators or engineers can interact with alarm management and alarm configuration thresholds.\n","source_ref":"course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48","target_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.114Z","relationship_type":"mitigates","description":"Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n","source_ref":"course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea","target_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","external_references":[{"source_name":"Dan Goodin March 2017","description":"Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ","url":"https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T16:43:45.457Z","description":"Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n","relationship_type":"mitigates","source_ref":"course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.098Z","relationship_type":"mitigates","description":"Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--80a69b56-337d-446a-8167-8b9f63083c4f","created":"2022-09-28T21:24:21.810Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CISA-AA22-103A","description":"DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.","url":"https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"},{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.442Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) includes a library that creates Modbus connections with a device to request its device ID.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b","created":"2024-03-25T20:17:49.585Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-25T20:17:49.585Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--81055366-e78b-40e0-a799-4b536ba03db3","created":"2023-09-29T18:45:22.474Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:45:22.474Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--81117328-e2bb-431c-a1ca-6ba7e6816637","created":"2022-09-26T16:25:38.511Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:25:38.511Z","description":"Consult asset management systems to understand expected program versions.","relationship_type":"detects","source_ref":"x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--81352e47-4317-45e3-88b9-a97dd2166727","created":"2024-03-28T14:29:05.074Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye TRITON Dec 2017","description":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.","url":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-10T15:01:17.504Z","description":"In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.(Citation: FireEye TRITON Dec 2017)","relationship_type":"uses","source_ref":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6","created":"2023-09-28T20:11:42.579Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:11:42.579Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--81806f43-c9aa-486e-8032-4e4665ba0d39","created":"2023-09-29T18:43:13.760Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:43:13.760Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32","created":"2023-09-28T21:13:00.330Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:13:00.330Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--81add433-49d8-43ec-85d5-f48fe80e56e7","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:44:21.000Z","description":"Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.","relationship_type":"detects","source_ref":"x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e","target_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--81ca994a-b350-424d-8f39-a0b64aa76260","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.204Z","relationship_type":"mitigates","description":"Users can be trained to identify social engineering techniques and spearphishing emails.\n","source_ref":"course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--82b20c35-88c6-49aa-8241-a59512b17b74","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"},{"source_name":"Langer Stuxnet","description":"Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.","url":"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-17T16:00:35.053Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened. (Citation: Langer Stuxnet)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T16:42:35.018Z","description":"Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.","relationship_type":"detects","source_ref":"x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e","target_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--83a964cb-730c-44e4-859b-b5246159396b","created":"2023-09-29T17:59:43.275Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:59:43.275Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--83c29179-4805-403a-acf5-5151c4d2e556","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:27:02.814Z","description":"[Industroyer](https://attack.mitre.org/software/S0604)'s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--83c8c216-7ff7-4bd3-9db4-573469628d95","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Joe Slowik August 2019","description":"Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ","url":"https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T14:53:48.947Z","description":"The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SIPROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. (Citation: Joe Slowik August 2019)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:32:52.932Z","description":"Monitor for newly constructed drive letters or mount points to removable media.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f","target_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:49:11.920Z","description":"[Industroyer](https://attack.mitre.org/software/S0604) contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.187Z","relationship_type":"mitigates","description":"Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device.\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--84671396-a556-4a5d-9bb9-cac697277371","created":"2023-09-29T16:31:12.255Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:31:12.255Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65","created":"2023-09-28T21:11:15.610Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:11:15.610Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--84fa50ff-bb84-4ab6-b759-658c57532c42","created":"2023-09-29T16:32:09.319Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:32:09.319Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7","created":"2023-09-29T18:01:32.878Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:01:32.878Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75","created":"2023-09-29T17:59:22.291Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:59:22.291Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--868db512-b897-4a54-ae56-ac78f6c93a14","created":"2022-09-28T20:29:18.027Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CISA-AA22-103A","description":"DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.","url":"https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"},{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.443Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can use a Telnet session to load a malware implant on Omron PLCs.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc","created":"2023-09-28T19:58:13.866Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:58:13.866Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:01:39.537Z","description":"Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--86c94552-de59-453d-ac06-28a6a64db930","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:47:46.836Z","description":"Monitor device application logs which may contain information related to operating mode changes, although not all devices produce such logs.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.166Z","relationship_type":"mitigates","description":"Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c","created":"2023-09-28T21:09:41.659Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:09:41.659Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:18:43.413Z","description":"Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--86f1655a-db46-4d49-9051-6653da83eb13","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:13:57.066Z","description":"Protect files with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n","relationship_type":"mitigates","source_ref":"course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971","target_ref":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--874752f4-59a2-46e9-ae28-befe0142b223","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-30T14:37:52.169Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) uses a hardcoded password in the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--87c8ab74-576d-4962-b641-0762d374d1e8","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:49:35.368Z","description":"The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--87eb5825-c918-444f-8da5-67da9eea9906","created":"2022-09-26T17:14:52.427Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T17:14:52.427Z","description":"Monitor device application logs for firmware changes, although not all devices will produce such logs.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:10:18.233Z","description":"Some asset application logs may provide information on I/O points related to write commands. Monitor for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce","created":"2022-09-27T15:25:50.596Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:49:19.854Z","description":"Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures.","relationship_type":"detects","source_ref":"x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5","target_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2","created":"2023-09-28T21:24:07.864Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:24:07.864Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--892c0bff-17b6-447b-a213-6a3189a1df82","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:51:45.844Z","description":"Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--897cfc36-4253-4e1e-8825-726dbe9088a2","created":"2023-09-28T19:55:02.944Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:55:02.944Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T18:41:09.265Z","description":"Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd","created":"2021-10-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-19T17:31:56.055Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) infects DLL's associated with the WinCC Simatic manager which are responsible for opening project files. If a user opens an uninfected project file using a compromised manager, the file will be infected with Stuxnet code. If an infected project is opened with the Simatic manager, the modified data file will trigger a search for the `xyz.dll` file. If the `xyz.dll` file is not found in any of the specified locations, the malicious DLL will be loaded and executed by the manager. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf","created":"2023-03-30T19:01:40.038Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:01:40.038Z","description":"Monitor for any suspicious attempts to enable scripts running on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).","relationship_type":"detects","source_ref":"x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd","target_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:49:59.817Z","description":"In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108","created":"2023-09-29T16:42:43.736Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:42:43.736Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62","created":"2023-09-27T14:50:09.612Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-27T15:25:53.307Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) moved their tools laterally within the ICS network. (Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c","created":"2022-09-26T16:50:56.298Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:50:56.298Z","description":"Monitor for a loss of network communications, which may indicate a device has been shutdown or restarted. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:32:18.214Z","description":"Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Asset management systems should be consulted to understand known-good firmware versions and configurations.","relationship_type":"detects","source_ref":"x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd","target_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8b17ad46-b0cc-4766-9cae-eba32260d468","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.135Z","relationship_type":"mitigates","description":"Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n","source_ref":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","target_ref":"attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb","external_references":[{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"MDudek-ICS","description":"MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ","url":"https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:27:15.545Z","description":"[Triton](https://attack.mitre.org/software/S1009) uses TriStations default UDP port, 1502, to communicate with devices. (Citation: MDudek-ICS)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8b491011-322d-4e0b-8f79-449e1b2ee185","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:55:26.030Z","description":"Monitor newly constructed processes that assist in lateral tool transfers, such as file transfer programs.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f","created":"2023-09-27T14:49:29.987Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"},{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.263Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) scheduled the uninterruptable power supplies (UPS) to shutdown data and telephone servers via the UPS management interface. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:08:06.789Z","description":"Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4","created":"2023-10-02T20:21:16.665Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:21:16.665Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:59:36.071Z","description":"Monitor for unexpected deletion of files.","relationship_type":"detects","source_ref":"x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8","target_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.101Z","relationship_type":"mitigates","description":"Ensure remote commands that enable device shutdown are disabled if they are not necessary. Examples include DNP3's 0x0D function code or unnecessary device management functions.\n","source_ref":"course-of-action--d0909119-2f71-4923-87db-b649881672d7","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95","created":"2023-09-28T20:31:46.082Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:31:46.082Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91","created":"2023-09-27T14:49:48.589Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.264Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Ukraine15 - EISAC - 201603)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7","created":"2023-09-28T21:25:20.417Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:25:20.417Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8da928a0-1c87-471f-aad7-5a1fdd438357","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:44:43.674Z","description":"Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash, which may be recorded in the application log.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:52:31.059Z","description":"Device restarts and shutdowns may be observable in device application logs. Monitor for unexpected device restarts or shutdowns.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.139Z","relationship_type":"mitigates","description":"Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n","source_ref":"course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd","target_ref":"attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36","external_references":[{"source_name":"M. Rentschler and H. Heine","description":"M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ","url":"https://ieeexplore.ieee.org/document/6505877"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b","created":"2023-09-29T17:05:44.653Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:05:44.653Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af","created":"2023-03-30T19:04:30.392Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:04:30.392Z","description":"Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data. ","relationship_type":"detects","source_ref":"x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e","target_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Daavid Hentunen, Antti Tikkanen June 2014","description":"Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ","url":"https://www.f-secure.com/weblog/archives/00002718.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:20:08.002Z","description":"Using OPC, a component of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)","relationship_type":"uses","source_ref":"malware--083bb47b-02c8-4423-81a2-f9ef58572974","target_ref":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8","created":"2023-03-30T19:00:57.773Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:00:57.773Z","description":"Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.","relationship_type":"mitigates","source_ref":"course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5","target_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8f90363e-2825-4178-807f-9268a28760fa","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.195Z","relationship_type":"mitigates","description":"Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.\n","source_ref":"course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0","target_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--8f947e00-2579-4120-a8b0-d466e59fac1a","created":"2023-09-28T19:49:25.824Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:49:25.824Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.120Z","relationship_type":"mitigates","description":"Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n","source_ref":"course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","external_references":[{"source_name":"Dan Goodin March 2017","description":"Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ","url":"https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8fcecf74-36df-41ab-9476-539c9ac0b339","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.179Z","relationship_type":"mitigates","description":"Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb","created":"2023-09-29T17:04:17.682Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:04:17.682Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6","created":"2023-09-28T20:04:44.041Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:04:44.041Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654","created":"2021-04-12T10:12:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Daavid Hentunen, Antti Tikkanen June 2014","description":"Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ","url":"https://www.f-secure.com/weblog/archives/00002718.html"},{"source_name":"ICS-CERT August 2018","description":"ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ","url":"https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:22:33.586Z","description":"The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)","relationship_type":"uses","source_ref":"malware--083bb47b-02c8-4423-81a2-f9ef58572974","target_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--910bada1-c923-4009-a9ea-da257072f168","created":"2023-09-29T16:29:27.902Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:29:27.902Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--91f29477-2ff6-4dbf-bf68-c8825a938851","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-13T12:08:26.506Z","modified":"2022-05-06T17:47:24.119Z","relationship_type":"mitigates","description":"Update software regularly by employing patch management for internal enterprise endpoints and servers.\n","source_ref":"course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e","target_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.130Z","relationship_type":"mitigates","description":"Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n","source_ref":"course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971","target_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--92ea1c2a-3835-43de-bb56-24e937a6f322","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:31:12.226Z","description":"Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (e.g., JScript.dll, vbscript.dll).","relationship_type":"detects","source_ref":"x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e","created":"2023-09-29T17:38:40.536Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:38:40.536Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--93c336f2-7e7c-4c79-af16-faae03e66121","created":"2023-09-29T18:44:09.293Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:44:09.293Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"DHS CISA February 2019","description":"DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ","url":"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:27:42.104Z","description":"[Triton](https://attack.mitre.org/software/S1009) is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. (Citation: DHS CISA February 2019)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--943a9a5c-7826-451d-ac73-34353ea40595","created":"2023-09-29T16:33:36.496Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:33:36.496Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--94654460-b115-4056-beb1-e982ed33437b","created":"2023-03-30T18:59:46.674Z","revoked":false,"external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T18:59:46.674Z","description":"Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from the local system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)","relationship_type":"mitigates","source_ref":"course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971","target_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--949b498c-ca3f-4704-90bd-a22a4d34067f","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:37:55.042Z","description":"Monitor for loss of operational process data which could indicate alarms are being suppressed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.","relationship_type":"detects","source_ref":"x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95","target_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e","created":"2022-09-27T15:48:55.986Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T15:48:55.986Z","description":"Monitor device alarms that indicate controller task parameters have changed, although not all devices produce such alarms.\n \n[Program Download](https://attack.mitre.org/techniques/T0843) may be used to enable this technique. Monitor for program downloads which may be noticeable via operational alarms. Asset management systems should be consulted to understand expected program versions.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca","created":"2021-04-13T11:15:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016","description":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ","url":"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:02:12.812Z","description":"[PLC-Blaster](https://attack.mitre.org/software/S1006) copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)","relationship_type":"uses","source_ref":"malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe","target_ref":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6","created":"2024-04-09T20:47:47.280Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:47:47.280Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d","created":"2023-09-28T20:17:07.288Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:17:07.288Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--966b59c0-8641-432c-84f7-b2a712004d74","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:52:41.680Z","description":"The [Industroyer](https://attack.mitre.org/software/S0604) IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.112Z","relationship_type":"mitigates","description":"Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n","source_ref":"course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037","target_ref":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8","created":"2023-09-28T20:25:30.229Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:25:30.229Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--973f5884-a076-413e-ac96-f0bd01375fb6","created":"2021-04-13T11:15:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:47:35.796Z","description":"Utilize code signatures to verify the integrity and authenticity of programs installed on safety or control assets, including the associated controller tasking.\n","relationship_type":"mitigates","source_ref":"course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a","target_ref":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--97538255-b049-4d15-91c4-6b227cbea476","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:16:09.542Z","description":"Data about the industrial process may indicate it is operating outside of expected bounds and could help indicate that that an alarm setting has changed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.","relationship_type":"detects","source_ref":"x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95","target_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--97641754-f215-4b8f-b0cd-0d3142053c76","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"McAfee CHIPSEC Blog","description":"Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.","url":"https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/"},{"source_name":"MITRE Copernicus","description":"Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.","url":"http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about"},{"source_name":"Intel HackingTeam UEFI Rootkit","description":"Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.","url":"http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"},{"source_name":"Github CHIPSEC","description":"Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.","url":"https://github.com/chipsec/chipsec"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:48:56.024Z","description":"Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)","relationship_type":"detects","source_ref":"x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--97756c8a-b702-472b-8d67-15464a73093e","created":"2023-09-27T14:56:28.962Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"},{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.265Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [KillDisk](https://attack.mitre.org/software/S0607) rendered devices that were necessary for remote recovery unusable, including at least one RTU. Additionally, [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the firmware for serial-to-ethernet converters, denying operators control of the downstream devices. (Citation: Booz Allen Hamilton)(Citation: Ukraine15 - EISAC - 201603)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.115Z","relationship_type":"mitigates","description":"Update software regularly by employing patch management for internal enterprise endpoints and servers.\n","source_ref":"course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e","target_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:59:40.539Z","description":"Monitor device application logs parameter changes, although not all devices will produce such logs.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1","created":"2023-09-29T16:40:54.250Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:40:54.250Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e","created":"2023-09-29T16:41:32.631Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:41:32.631Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319","created":"2023-09-29T18:47:52.800Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:47:52.800Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--982d0b4f-274a-4738-9262-57fc80d468f9","created":"2024-03-26T15:41:51.806Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T15:41:51.806Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.172Z","relationship_type":"mitigates","description":"Devices should authenticate all messages between master and outstation assets.\n","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--984d517f-56a1-4eb4-95e5-994eb9c6c3b5","created":"2024-03-27T20:46:21.569Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Mandiant-Sandworm-Ukraine-2022","description":"Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.","url":"https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-17T15:20:25.327Z","description":"During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) executed a MicroSCADA application binary `scilc.exe` to send a predefined list of SCADA instructions specified in a file defined by the adversary, `s1.txt`. The executed command `C:\\sc\\prog\\exec\\scilc.exe -do pack\\scil\\s1.txt` leverages the SCADA software to send unauthorized command messages to remote substations.(Citation: Mandiant-Sandworm-Ukraine-2022)","relationship_type":"uses","source_ref":"campaign--df8eb785-70f8-4300-b444-277ba849083d","target_ref":"attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--98567b03-7421-4761-8caa-cbea82d89fe3","created":"2024-03-26T15:40:06.457Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T15:40:06.457Z","description":"Configure operating systems to disable the autorun of any specific file types or drives.","relationship_type":"mitigates","source_ref":"course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce","target_ref":"attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--98b229f8-6020-4fbb-b104-54fd478c14d9","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:29:49.652Z","description":"Monitor logon sessions for default credential use.","relationship_type":"detects","source_ref":"x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5","target_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.127Z","relationship_type":"mitigates","description":"Set and enforce secure password policies for accounts.\n","source_ref":"course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:53:25.280Z","description":"[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of control. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--990f944f-190d-456d-b194-f5ecb17a0868","created":"2019-06-24T17:20:24.258Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Catalin Cimpanu April 2016","description":"Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ","url":"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:40:11.392Z","description":"A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to temporarily shutdown. (Citation: Catalin Cimpanu April 2016)","relationship_type":"uses","source_ref":"malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55","target_ref":"attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134","created":"2023-09-29T18:03:23.576Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:03:23.576Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--99c0c90e-8526-41d6-80ca-b037598c6326","created":"2022-09-26T19:37:35.412Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:36:13.269Z","description":"Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045.","relationship_type":"detects","source_ref":"x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--99ec0a8e-4a4f-427c-89db-163e4b206021","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.094Z","relationship_type":"mitigates","description":"Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n","source_ref":"course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd","target_ref":"attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20","external_references":[{"source_name":"M. Rentschler and H. Heine","description":"M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ","url":"https://ieeexplore.ieee.org/document/6505877"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f","created":"2023-09-28T19:56:54.642Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:56:54.642Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--99fa6d92-0c41-44ed-bd30-dd0413785883","created":"2023-09-29T18:43:23.321Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:43:23.321Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf","created":"2023-09-28T20:04:32.626Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:04:32.626Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.075Z","relationship_type":"mitigates","description":"Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.203Z","relationship_type":"mitigates","description":"Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.\n","source_ref":"course-of-action--3172222b-4983-43f7-8983-753ded4f13bc","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--9ad74496-e164-4068-a0f5-379f507ba864","created":"2022-05-11T16:22:58.808Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:47:23.576Z","description":"Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). ","relationship_type":"detects","source_ref":"x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8","created":"2023-09-29T18:58:05.958Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:58:05.958Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.232Z","relationship_type":"mitigates","description":"Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining access to valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.\n","source_ref":"course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos Xenotime 2018","description":"Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.","url":"https://dragos.com/resource/xenotime/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-11-23T21:06:25.384Z","description":"(Citation: Dragos Xenotime 2018)","relationship_type":"uses","source_ref":"intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4","target_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.0.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875","created":"2023-09-28T19:37:35.485Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:37:35.485Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1","created":"2023-09-28T20:11:52.625Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:11:52.625Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5","created":"2023-09-28T19:59:44.009Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:59:44.009Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.203Z","relationship_type":"mitigates","description":"Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--9cf83701-a347-47b4-a67b-280df95b275d","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:41:05.460Z","description":"Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.","relationship_type":"detects","source_ref":"x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f","created":"2022-09-27T18:40:11.818Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:12:41.739Z","description":"In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. ","relationship_type":"detects","source_ref":"x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa","target_ref":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:34:07.441Z","description":"Alterations to the service binary path or the service startup type changed to disabled may be suspicious.","relationship_type":"detects","source_ref":"x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:53:56.368Z","description":"[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9d75333b-2542-4899-923f-55dc1e077a51","created":"2022-09-27T16:03:41.224Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:45:52.592Z","description":"Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell).","relationship_type":"detects","source_ref":"x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3","created":"2022-09-26T14:44:05.557Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:49:44.728Z","description":"Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.","relationship_type":"detects","source_ref":"x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71","target_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9db1ecfe-72eb-42da-a09e-746663a53854","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"MDudek-ICS","description":"MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ","url":"https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-29T20:46:03.389Z","description":"[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.(Citation: MDudek-ICS)\n\n[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.(Citation: MDudek-ICS)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9e0810a5-ad02-487f-b0a8-bf07decca493","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:07:52.455Z","description":"Monitor for a loss of network communications, which may indicate this technique is being used.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:00:56.539Z","description":"Monitor for a loss of network communications, which may indicate this technique is being used.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500","created":"2023-09-29T18:07:28.902Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:07:28.902Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42","created":"2021-01-04T21:30:14.830Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ESET Industroyer","description":"Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"},{"source_name":"Dragos Crashoverride 2017","description":"Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.","url":"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"},{"source_name":"Dragos Crashoverride 2018","description":"Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.","url":"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"},{"source_name":"mandiant_apt44_unearthing_sandworm","description":"Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.","url":"https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"},{"source_name":"Secureworks IRON VIKING","description":"Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.","url":"https://www.secureworks.com/research/threat-profiles/iron-viking"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-08-20T19:04:50.748Z","description":"(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2017)(Citation: ESET Industroyer)(Citation: Secureworks IRON VIKING)(Citation: mandiant_apt44_unearthing_sandworm)","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5","created":"2022-09-27T16:38:57.931Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T16:38:57.931Z","description":"Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9f2926a2-596f-459e-827e-6fe2d4646efd","created":"2023-09-29T18:06:46.756Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:06:46.756Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9f43126d-5f6c-42a9-9908-49175c27ead7","created":"2023-03-30T19:27:26.398Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Industroyer2 ESET April 2022","description":"ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.","url":"https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"},{"source_name":"mandiant_apt44_unearthing_sandworm","description":"Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.","url":"https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-08-20T19:05:06.892Z","description":"(Citation: Industroyer2 ESET April 2022)(Citation: mandiant_apt44_unearthing_sandworm)","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3","created":"2023-09-28T21:12:14.470Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:12:14.470Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:54:30.385Z","description":"Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0604) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949","created":"2023-09-27T14:48:40.533Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.265Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47","created":"2023-09-28T20:04:19.147Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:04:19.147Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:40:06.988Z","description":"Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.","relationship_type":"detects","source_ref":"x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8","target_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a04169ed-c16b-466b-80ef-22a11067f475","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:54:58.401Z","description":"[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of view. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.069Z","relationship_type":"mitigates","description":"Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.233Z","relationship_type":"mitigates","description":"Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: CISA June 2013)\n","source_ref":"course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","external_references":[{"source_name":"CISA June 2013","description":"CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/ncas/alerts/TA13-175A"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--a1454196-0d86-49f2-8dcb-61145a16b21e","created":"2022-09-26T20:36:04.428Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:33:05.248Z","description":"Monitor for files accessed on removable media, particularly those with executable content.","relationship_type":"detects","source_ref":"x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71","target_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a15d718f-af30-4745-a837-887ba8f48727","created":"2023-09-29T16:30:46.705Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:30:46.705Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos Inc. June 2017","description":"Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ","url":"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:55:26.032Z","description":"[Industroyer](https://attack.mitre.org/software/S0604) has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files. (Citation: Dragos Inc. June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476","created":"2023-09-29T16:43:16.472Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:43:16.472Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3","created":"2023-09-29T16:28:17.629Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:28:17.629Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a2142552-6b8d-4751-a3d4-1471420c02fc","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:15:48.476Z","description":"Monitor for newly constructed network connections into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp:3389 and tcp:22 for remote logins. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to enable remote logins.","relationship_type":"detects","source_ref":"x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039","created":"2023-09-28T21:16:05.517Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:16:05.517Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a22fabd2-836e-4141-9219-c76cc10138ec","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.100Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b","created":"2023-09-29T16:44:03.912Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:44:03.912Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d","created":"2023-09-29T18:04:05.993Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:04:05.993Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:50:54.867Z","description":"On Windows and Unix systems monitor executed commands and arguments that may use shell commands for execution. Shells may be common on administrator, developer, or power user systems depending on job function.\n\nOn network device and embedded system CLIs consider reviewing command history if unauthorized or suspicious commands were used to modify device configuration.","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9","created":"2023-09-29T16:36:28.818Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:36:28.818Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7","created":"2023-09-29T16:39:54.248Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:39:54.248Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a45cec05-2d81-4db1-9267-db8be498e0d2","created":"2023-09-29T16:46:50.699Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:46:50.699Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac","created":"2023-09-29T17:40:58.726Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:40:58.726Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63","created":"2023-09-29T17:57:44.978Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:57:44.978Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ESET Research Whitepapers September 2018","description":"ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ","url":"https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf"},{"source_name":"Intel","description":"Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ","url":"https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf"},{"source_name":"N/A","description":"N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ","url":"https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T13:20:11.016Z","description":"Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n","relationship_type":"mitigates","source_ref":"course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5","created":"2023-09-29T17:40:08.922Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:40:08.922Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be","created":"2021-04-13T11:15:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016","description":"Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ","url":"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:02:30.876Z","description":"[PLC-Blaster](https://attack.mitre.org/software/S1006) stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)","relationship_type":"uses","source_ref":"malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf","created":"2023-09-27T14:45:26.126Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"},{"source_name":"Charles McLellan March 2016","description":"Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023.","url":"https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-27T15:28:24.006Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) remotely discovered operational assets once on the OT network. (Citation: Charles McLellan March 2016) (Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:14:57.034Z","description":"Monitor for alarm setting changes observable in automation or management network protocols.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a6277ff6-9cdf-484f-a902-3f9442039905","created":"2024-09-11T22:55:18.833Z","revoked":false,"external_references":[{"source_name":"Claroty Fuxnet 2024","description":"Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.","url":"https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-11T22:55:18.833Z","description":"[Fuxnet](https://attack.mitre.org/software/S1157) shut down remote access services such as SSH, HTTP, telnet, and SNMP to a device along with deleting the routing table for routing devices to inhibit system accessibility and communication.(Citation: Claroty Fuxnet 2024)","relationship_type":"uses","source_ref":"malware--931e2489-8078-4f9f-85b2-a9211950e75b","target_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a6479493-6154-408f-90df-9d2f3ae352d1","created":"2023-03-31T17:46:01.470Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos Crashoverride 2018","description":"Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.","url":"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-07T17:06:53.070Z","description":"During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems.(Citation: Dragos Crashoverride 2018)","relationship_type":"uses","source_ref":"campaign--aa73efef-1418-4dbe-b43c-87a498e97234","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28","created":"2021-04-13T12:28:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Davey Winder June 2020","description":"Davey Winder 2020, June 10 Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations Retrieved. 2021/04/12 ","url":"https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:47:16.775Z","description":"[EKANS](https://attack.mitre.org/software/S0605) infection resulted in a temporary production loss within a Honda manufacturing plant. (Citation: Davey Winder June 2020)","relationship_type":"uses","source_ref":"malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5","target_ref":"attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T20:13:05.134Z","description":"[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7","created":"2023-09-29T17:05:56.185Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:05:56.185Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927","created":"2023-03-30T14:08:06.442Z","revoked":false,"external_references":[{"source_name":"Department of Homeland Security October 2009","description":"Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T14:08:06.442Z","description":"Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.","relationship_type":"mitigates","source_ref":"course-of-action--ad12819e-3211-4291-b360-069f280cff0a","target_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a72c212f-6d4f-4c5d-873d-afa42021024c","created":"2024-03-26T15:42:10.203Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T15:42:10.203Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a731ad54-0c3c-47bb-9559-d99950782beb","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T19:22:39.784Z","description":"Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.","relationship_type":"detects","source_ref":"x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.218Z","relationship_type":"mitigates","description":"Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a75ddacf-e87e-4a99-83f2-618486473163","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.217Z","relationship_type":"mitigates","description":"Patch the BIOS and EFI as necessary.\n","source_ref":"course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a78e727c-8e42-448c-beb4-463804e18be0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.123Z","relationship_type":"mitigates","description":"Minimize permissions and access for service accounts to limit impact of exploitation. (Citation: Keith Stouffer May 2015)\n","source_ref":"course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac","created":"2023-09-28T19:41:16.927Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:41:16.927Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393","created":"2022-09-26T14:43:24.136Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Elastic - Koadiac Detection with EQL","description":"Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.","url":"https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:49:34.799Z","description":"Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:33:22.909Z","description":"Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.","relationship_type":"detects","source_ref":"x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:42:02.105Z","description":"All field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n","relationship_type":"mitigates","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a","created":"2022-09-29T14:27:05.757Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-29T14:27:05.757Z","description":"Monitor logon sessions for hardcoded credential use, when feasible.","relationship_type":"detects","source_ref":"x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5","target_ref":"attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.126Z","relationship_type":"mitigates","description":"Consider utilizing jump boxes for external remote access. Additionally, dynamic account management may be used to easily remove accounts when not in use.\n","source_ref":"course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:39:30.850Z","description":"Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.","relationship_type":"detects","source_ref":"x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8","target_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8","created":"2021-04-11T14:06:54.109Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ICS CERT September 2018","description":"ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05 ","url":"https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B"},{"source_name":"ICS-CERT December 2014","description":"ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11 ","url":"https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T16:59:07.486Z","description":"[Sandworm Team](https://attack.mitre.org/groups/G0034) actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. (Citation: ICS-CERT December 2014) (Citation: ICS CERT September 2018)","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.125Z","relationship_type":"mitigates","description":"Consider removal of remote services which are not regularly in use, or only enabling them when required (e.g., vendor remote access). Ensure all external remote access point (e.g., jump boxes, VPN concentrator) are configured with least functionality, especially the removal of unnecessary services. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--d0909119-2f71-4923-87db-b649881672d7","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1","created":"2023-09-28T20:28:27.970Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:28:27.970Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a86cee0a-dc49-4c95-b5dc-37405337490b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.079Z","relationship_type":"mitigates","description":"Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--a91002fe-21b2-4417-9c23-af712a7a035c","created":"2021-04-13T11:15:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:46:24.589Z","description":"Utilize code signatures to verify the integrity and authenticity of programs installed on safety or control assets.\n","relationship_type":"mitigates","source_ref":"course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a","target_ref":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a91295dc-b381-4dc9-9384-9f9949066778","created":"2023-09-29T18:42:18.446Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:42:18.446Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a93ba793-24dd-47dd-b32c-4c3016124c90","created":"2023-09-29T18:43:02.969Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:43:02.969Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"MDudek-ICS","description":"MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ","url":"https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:27:55.358Z","description":"[Triton](https://attack.mitre.org/software/S1009) calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. (Citation: MDudek-ICS)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--aa205915-7571-47ee-8bc6-5aa1ace86690","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:52:11.111Z","description":"Devices may produce alarms about restarts or shutdowns. Monitor for unexpected device restarts or shutdowns.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91","created":"2022-09-26T16:35:07.728Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:35:07.728Z","description":"Monitor for new master devices communicating with outstations, which may be visible in alarms within the ICS environment.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba","created":"2023-09-29T17:42:56.284Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:42:56.284Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa","created":"2023-03-30T19:03:59.066Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:03:59.066Z","description":"Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:32:51.548Z","description":"Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ab0b5170-577b-491e-8508-b9a34dc393c1","created":"2022-09-27T16:22:57.470Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T16:22:57.470Z","description":"Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs. Data from these platforms can be used to identify modified controller programs.","relationship_type":"detects","source_ref":"x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d","target_ref":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ab306654-2abb-4983-8d30-df4058adb06c","created":"2021-04-12T18:49:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Selena Larson, Camille Singleton December 2020","description":"Selena Larson, Camille Singleton 2020, December RANSOMWARE IN ICS ENVIRONMENTS Retrieved. 2021/04/12 ","url":"https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf?utm_referrer=https%3A%2F%2Fwww.dragos.com%2Fresource%2Fransomware-in-ics-environments%2F"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:06:16.474Z","description":"The [REvil](https://attack.mitre.org/software/S0496) malware gained access to an organizations network and encrypted sensitive files used by OT equipment. (Citation: Selena Larson, Camille Singleton December 2020)","relationship_type":"uses","source_ref":"malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5","target_ref":"attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b","created":"2023-09-29T17:37:50.048Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:37:50.048Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.080Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e","created":"2023-09-29T17:37:16.719Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:37:16.719Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed","created":"2023-09-28T19:41:30.623Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:41:30.623Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ab8e129c-5411-4784-9194-068fa915da23","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov","description":"Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ","url":"https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:54:49.878Z","description":"[KillDisk](https://attack.mitre.org/software/S0607) deletes application, security, setup, and system event logs from Windows systems. (Citation: Anton Cherepanov)","relationship_type":"uses","source_ref":"malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6","target_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291","created":"2023-10-02T20:20:19.426Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:20:19.426Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ac933d76-8207-4bf7-add2-92b60cf3044b","created":"2023-09-28T20:04:54.213Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:04:54.213Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--acace658-da7e-4a19-aa98-8aec8c966dde","created":"2023-09-27T14:53:03.323Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.266Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application. (Citation: Ukraine15 - EISAC - 201603)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ad7770c3-fe24-4285-9ce2-1616a1061472","type":"relationship","created":"2019-04-17T14:45:59.681Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.","url":"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html","source_name":"FireEye FIN6 Apr 2019"}],"modified":"2019-06-28T14:59:17.849Z","description":"(Citation: FireEye FIN6 Apr 2019)","relationship_type":"uses","source_ref":"intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb","target_ref":"malware--5af7a825-2d9f-400d-931a-e00eb9e27f48","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:36:33.957Z","description":"Monitor network traffic for anomalies associated with known AiTM behavior. For Collection activity where transmitted data is not manipulated, anomalies may be present in network management protocols (e.g., ARP, DHCP).","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.111Z","relationship_type":"mitigates","description":"Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. (Citation: Karen Scarfone; Paul Hoffman September 2009)\n","source_ref":"course-of-action--49363b74-d506-4342-bd63-320586ebadb9","target_ref":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","external_references":[{"source_name":"Karen Scarfone; Paul Hoffman September 2009","description":"Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ","url":"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b","created":"2023-09-28T21:12:39.257Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:12:39.257Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ade12d27-13bb-4ebf-be08-7039cf699682","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.065Z","relationship_type":"mitigates","description":"Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--adf2072c-0341-4fc2-9d25-495b4af864e9","created":"2023-03-10T20:09:22.370Z","revoked":false,"external_references":[{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-10T20:09:22.370Z","description":"In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary temporarily shut an investigator out of the network preventing them from issuing any controls.(Citation: Marshall Abrams July 2008)","relationship_type":"uses","source_ref":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","target_ref":"attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ae10e97a-90ac-498b-8601-01081dc4af8b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-12T18:59:17.429Z","modified":"2022-05-06T17:47:24.188Z","relationship_type":"mitigates","description":"Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.\n","source_ref":"course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc","created":"2023-09-28T19:50:14.201Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:50:14.201Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.167Z","relationship_type":"mitigates","description":"Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig).\n","source_ref":"course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433","target_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c","created":"2023-03-10T20:36:34.109Z","revoked":false,"external_references":[{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-10T20:36:34.109Z","description":"In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations.(Citation: Marshall Abrams July 2008)","relationship_type":"uses","source_ref":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","target_ref":"attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--af20f409-05ed-42c3-ae3e-09b047b84875","created":"2023-09-25T20:49:25.308Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:49:25.308Z","description":"All field controllers should require that user authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:39:13.371Z","description":"Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379","created":"2023-09-28T21:17:32.313Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:17:32.313Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d","created":"2023-09-29T16:44:42.393Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:44:42.393Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.133Z","relationship_type":"mitigates","description":"Hot-standbys in diverse locations can ensure continued operations if the primarily system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n","source_ref":"course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd","target_ref":"attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95","external_references":[{"source_name":"M. Rentschler and H. Heine","description":"M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ","url":"https://ieeexplore.ieee.org/document/6505877"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.061Z","relationship_type":"mitigates","description":"Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1","created":"2023-09-29T17:37:41.336Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:37:41.336Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1","created":"2023-09-29T16:40:30.440Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:40:30.440Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b05d678b-4d87-4261-9366-f8b757a77661","created":"2024-03-28T14:27:51.356Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye TRITON Dec 2017","description":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.","url":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-10T15:01:54.735Z","description":"In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) would programmatically return the controller to a normal running state if the [Triton](https://attack.mitre.org/software/S1009) malware failed. If the controller could not recover in a defined time window, [TEMP.Veles](https://attack.mitre.org/groups/G0088) programmatically overwrote their malicious program with invalid data.(Citation: FireEye TRITON Dec 2017)","relationship_type":"uses","source_ref":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","target_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7","created":"2022-09-27T15:30:18.604Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T15:30:18.604Z","description":"Monitor logs from installed applications (e.g., historian logs) for unexpected commands or abuse of system features.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b07e6896-a840-49a1-8d58-94396a902b95","created":"2023-03-31T17:56:07.978Z","revoked":false,"external_references":[{"source_name":"ESET Industroyer","description":"Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T17:56:07.978Z","description":"During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) supplied the name of the payload DLL to [Industroyer](https://attack.mitre.org/software/S0604) via a command line parameter.(Citation: ESET Industroyer)","relationship_type":"uses","source_ref":"campaign--aa73efef-1418-4dbe-b43c-87a498e97234","target_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1","created":"2023-09-28T21:21:18.081Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:21:18.081Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:43:36.467Z","description":"Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:59:13.486Z","description":"Monitor for device alarms produced when parameters are changed, although not all devices will produce such alarms.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:56:58.977Z","description":"Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b13417ea-d8da-497f-818f-d2d90562039a","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T16:44:13.707Z","description":"Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level.\n","relationship_type":"mitigates","source_ref":"course-of-action--3172222b-4983-43f7-8983-753ded4f13bc","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b1768154-221c-48be-ab2b-549ec1eddafb","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.068Z","relationship_type":"mitigates","description":"Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","external_references":[{"source_name":"Karen Scarfone; Paul Hoffman September 2009","description":"Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ","url":"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"},{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"},{"source_name":"Dwight Anderson 2014","description":"Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec","created":"2022-09-26T15:38:45.913Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:38:45.913Z","description":"Monitor for loss of expected device alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b1921480-8499-46a9-8396-2a2d747c5861","created":"2023-09-28T19:58:00.892Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:58:00.892Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.228Z","relationship_type":"mitigates","description":"If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.\n","source_ref":"course-of-action--3172222b-4983-43f7-8983-753ded4f13bc","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--b21e0340-976d-44b2-94ae-f777199993c6","created":"2023-09-28T19:39:00.326Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:39:00.326Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov","description":"Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ","url":"https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:55:06.661Z","description":"[KillDisk](https://attack.mitre.org/software/S0607) is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. (Citation: Anton Cherepanov)","relationship_type":"uses","source_ref":"malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6","target_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b259c196-2a23-4173-9ed5-aae1c948579e","created":"2024-03-25T20:19:03.025Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-28T18:40:48.243Z","description":"Monitor for unusual processes execution, especially for processes that allow the proxy execution of malicious files.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a","created":"2023-09-28T21:10:50.480Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:10:50.480Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.192Z","relationship_type":"mitigates","description":"ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n","source_ref":"course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a","target_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","external_references":[{"source_name":"D. Parsons and D. Wylie September 2019","description":"D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ","url":"https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/"},{"source_name":"Colin Gray","description":"Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ","url":"https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901"},{"source_name":"Josh Rinaldi April 2016","description":"Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ","url":"https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/"},{"source_name":"Aditya K Sood July 2019","description":"Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ","url":"https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/"},{"source_name":"Langner November 2018","description":"Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ","url":"https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.239Z","relationship_type":"mitigates","description":"Techniques can include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n","source_ref":"course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e","target_ref":"attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e","external_references":[{"source_name":"DHS National Urban Security Technology Laboratory April 2019","description":"DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ","url":"https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f","created":"2023-09-29T17:42:11.005Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:42:11.005Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b33f2abc-a218-425b-9a90-b75445b7e142","created":"2023-09-29T18:05:51.795Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:05:51.795Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b343e131-e448-46c6-815b-b86e4bd6d638","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos Threat Intelligence August 2019","description":"Dragos Threat Intelligence 2019, August Global Oil and Gas Cyber Threat Perspective Retrieved. 2020/01/03 ","url":"https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:06:51.429Z","description":"[TEMP.Veles](https://attack.mitre.org/groups/G0088) targeted several ICS vendors and manufacturers. (Citation: Dragos Threat Intelligence August 2019)","relationship_type":"uses","source_ref":"intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4","target_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b346eec8-de90-407c-b665-387086bb4553","created":"2022-09-29T01:36:02.223Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"},{"source_name":"Brubaker-Incontroller","description":"Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.","url":"https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.444Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to upload programs from Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can obtain existing program logic from Omron PLCs by using either the program upload or backup functions available through the HTTP server.(Citation: Wylie-22) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa","type":"relationship","created":"2017-05-31T21:33:27.070Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html","description":"Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.","source_name":"iSIGHT Sandworm 2014"},{"url":"https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf","description":"F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.","source_name":"F-Secure BlackEnergy 2014"},{"source_name":"US District Court Indictment GRU Unit 74455 October 2020","url":"https://www.justice.gov/opa/press-release/file/1328521/download","description":"Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."},{"source_name":"UK NCSC Olympic Attacks October 2020","url":"https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games","description":"UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."},{"source_name":"Secureworks IRON VIKING ","url":"https://www.secureworks.com/research/threat-profiles/iron-viking","description":"Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."}],"modified":"2022-02-28T17:02:50.401Z","description":"(Citation: iSIGHT Sandworm 2014)(Citation: F-Secure BlackEnergy 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b352884f-2a60-41c6-b348-0bbb5859802a","created":"2023-09-28T20:01:52.459Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:01:52.459Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.236Z","relationship_type":"mitigates","description":"Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.\n","source_ref":"course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a","target_ref":"attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--b37844c1-0338-44f6-9116-48fa0f079913","created":"2023-09-29T17:41:11.611Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:41:11.611Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Chris Bing May 2018","description":"Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03 ","url":"https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:07:07.445Z","description":"[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilizes watering hole websites to target industrial employees. (Citation: Chris Bing May 2018)","relationship_type":"uses","source_ref":"intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2","created":"2023-09-28T19:48:58.160Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:48:58.160Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b3b24837-83ed-46c5-ba80-66a832c7072e","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.062Z","relationship_type":"mitigates","description":"All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T17:00:06.347Z","description":"Monitor ICS management protocols for parameter changes, including for unexpected values, changes far exceeding standard values, or for parameters being changed in an unexpected way (e.g., via a new function, at an unusual time).","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08","created":"2023-09-28T20:02:20.170Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:02:20.170Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov","description":"Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ","url":"https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:55:23.573Z","description":"[KillDisk](https://attack.mitre.org/software/S0607) looks for and terminates two non-standard processes, one of which is an ICS application. (Citation: Anton Cherepanov)","relationship_type":"uses","source_ref":"malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6","target_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T14:34:42.612Z","description":"Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.\n","relationship_type":"mitigates","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3","created":"2023-03-30T18:59:30.677Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T18:59:30.677Z","description":"Develop and publish policies that define acceptable information to be stored on local systems.","relationship_type":"mitigates","source_ref":"course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba","target_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b48be9f9-de0e-4548-ade3-09d47af52798","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:03:58.153Z","description":"Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if command messages are blocked.","relationship_type":"detects","source_ref":"x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e","target_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3","created":"2022-09-27T17:37:02.670Z","revoked":false,"external_references":[{"source_name":"Nzyme Alerts Intro","description":"Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.","url":"https://www.nzyme.org/docs/alerts/intro"},{"source_name":"Wireless Intrusion Detection","description":"Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.","url":"https://apps.dtic.mil/sti/pdfs/ADA466332.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T17:37:02.670Z","description":"Purely passive network sniffing cannot be detected effectively. In cases where the adversary interacts with the wireless network (e.g., joining a Wi-Fi network) detection may be possible. Monitor for new or irregular network traffic flows which may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa","created":"2023-09-29T17:45:55.581Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:45:55.581Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1","created":"2023-03-10T20:10:23.377Z","revoked":false,"external_references":[{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-10T20:10:23.377Z","description":"In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary falsified network addresses in order to send false data and instructions to pumping stations.(Citation: Marshall Abrams July 2008)","relationship_type":"uses","source_ref":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","target_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b5979643-fefb-460f-b59c-971efe95f121","created":"2022-09-27T16:57:48.758Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:42:28.408Z","description":"Monitor for changes made to services that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.","relationship_type":"detects","source_ref":"x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b59a96e4-bd70-4459-9609-66563bccd9c3","created":"2023-09-29T16:38:21.688Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:38:21.688Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Hydro","description":"Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ","url":"https://www.hydro.com/en/media/on-the-agenda/cyber-attack/"},{"source_name":"Kevin Beaumont","description":"Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ","url":"https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:57:06.704Z","description":"Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of control which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)","relationship_type":"uses","source_ref":"malware--5af7a825-2d9f-400d-931a-e00eb9e27f48","target_ref":"attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.143Z","relationship_type":"mitigates","description":"This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n","source_ref":"course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433","target_ref":"attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.200Z","relationship_type":"mitigates","description":"Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.\n","source_ref":"course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433","target_ref":"attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b628d878-4f35-4580-8d42-26984d13821e","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.143Z","relationship_type":"mitigates","description":"Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--b6309476-8268-4c47-920b-8a556cd8ae4c","created":"2023-09-29T18:47:07.359Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:47:07.359Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b69905bd-6865-4092-9543-47bd9ae318ec","created":"2023-09-28T19:54:22.618Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:54:22.618Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.232Z","relationship_type":"mitigates","description":"Ensure that applications and devices do not store sensitive data or credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). (Citation: CISA June 2013)\n","source_ref":"course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","external_references":[{"source_name":"CISA June 2013","description":"CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/ncas/alerts/TA13-175A"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--b7284360-0d80-45bb-8486-263ae8f8fa63","created":"2023-09-28T21:26:01.106Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:26:01.106Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.128Z","relationship_type":"mitigates","description":"Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--b7344dfb-621b-4558-ab22-6c1f256ee746","created":"2023-09-29T16:46:27.408Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:46:27.408Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2","created":"2023-09-29T18:57:10.064Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:57:10.064Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","target_ref":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T20:51:43.487Z","description":"Monitor for unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586","created":"2023-09-28T19:51:42.728Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:51:42.728Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b7f23af2-e948-4531-af56-1a1b4d03702f","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.172Z","relationship_type":"mitigates","description":"Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e","created":"2023-09-29T18:42:53.573Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:42:53.573Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b8b1739d-dfa2-44e9-907f-7085e262512f","created":"2022-05-11T16:22:58.808Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T19:01:52.517Z","description":"Monitor login sessions for new or unexpected devices or sessions on wireless networks.","relationship_type":"detects","source_ref":"x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5","target_ref":"attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:45:17.457Z","description":"Monitor for network traffic originating from unknown/unexpected systems.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Department of Homeland Security October 2009","description":"Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-19T21:23:11.538Z","description":"Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n","relationship_type":"mitigates","source_ref":"course-of-action--ad12819e-3211-4291-b360-069f280cff0a","target_ref":"attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-10-14T17:59:24.739Z","modified":"2022-05-06T17:47:24.226Z","relationship_type":"mitigates","description":"Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities.\n","source_ref":"course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e","target_ref":"attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.097Z","relationship_type":"mitigates","description":"All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.222Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.091Z","relationship_type":"mitigates","description":"Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.\n","source_ref":"course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48","target_ref":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b9e82422-b072-494f-99c1-fcab07b90133","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.146Z","relationship_type":"mitigates","description":"Require signed binaries.\n","source_ref":"course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.091Z","relationship_type":"mitigates","description":"Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n","source_ref":"course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5","target_ref":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","external_references":[{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c","created":"2023-09-28T21:28:36.325Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:28:36.325Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a","created":"2023-09-28T20:03:54.209Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:03:54.209Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7","created":"2023-09-29T18:49:34.208Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:49:34.208Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341","created":"2024-03-25T20:17:36.433Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-25T20:17:36.433Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--baf4bd30-4213-43c3-b70c-54418e734caf","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.184Z","relationship_type":"mitigates","description":"Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--baf7daf3-2116-4051-91b5-f82e146167d0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.235Z","relationship_type":"mitigates","description":"Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.\n","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259","created":"2023-09-29T16:45:08.209Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:45:08.209Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc","created":"2023-09-28T19:53:44.848Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:53:44.848Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.222Z","relationship_type":"mitigates","description":"Devices should authenticate all messages between master and outstation assets.\n","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.112Z","relationship_type":"mitigates","description":"Use least privilege for service accounts. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n","source_ref":"course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5","target_ref":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--bc383819-2e40-49b4-bea9-95eb5d418877","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:15:38.341Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) uses a thread to monitor a data block DB890 of sequence A or B. This thread is constantly running and probing this block (every 5 minutes). On an infected PLC, if block DB890 is found and contains a special magic value (used by Stuxnet to identify his own block DB890), this blocks data can be read and written. This thread is likely used to optimize the way sequences A and B work, and modify their behavior when the Step7 editor is opened. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9","created":"2023-09-28T21:22:21.776Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:22:21.776Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.218Z","relationship_type":"mitigates","description":"Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).\n","source_ref":"course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5","target_ref":"attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T13:49:50.583Z","description":"Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n","relationship_type":"mitigates","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:16:10.677Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a","created":"2023-09-28T21:16:24.310Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:16:24.310Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bd869385-5778-4303-8993-cc6412d12303","created":"2023-09-29T18:45:59.108Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:45:59.108Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.203Z","relationship_type":"mitigates","description":"Deploy anti-virus on all systems that support external email.\n","source_ref":"course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.082Z","relationship_type":"mitigates","description":"Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--be0f7d83-2441-4259-b411-46e0d10566b1","created":"2023-10-02T20:23:24.179Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:23:24.179Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--be532c78-daf5-431b-adae-ab11af395513","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:16:39.070Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--be950e87-80ac-49ea-810a-553c7f72151b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.073Z","relationship_type":"mitigates","description":"Devices should authenticate all messages between master and outstation assets.\n","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2","created":"2023-09-28T20:31:17.116Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:31:17.116Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bf0e7347-1636-4b5e-9e2a-8b93177e5f85","created":"2024-03-28T14:27:09.365Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye TRITON 2018","description":"Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.","url":"https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-10T15:02:15.194Z","description":"In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) used valid credentials when laterally moving through RDP jump boxes into the ICS environment.(Citation: FireEye TRITON 2018)","relationship_type":"uses","source_ref":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76","created":"2023-09-29T16:46:12.472Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:46:12.472Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:37:24.268Z","description":"Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.","relationship_type":"detects","source_ref":"x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71","target_ref":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bf8e68fe-1969-48d1-be0e-ec742378748d","created":"2023-09-29T18:56:34.302Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:56:34.302Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302","created":"2023-09-29T18:06:02.077Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:06:02.077Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bf9f227c-e306-4257-add1-39c7c2e42040","created":"2023-09-29T18:47:28.758Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:47:28.758Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1","type":"relationship","created":"2020-09-22T19:41:27.951Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Secureworks REvil September 2019","url":"https://www.secureworks.com/research/revil-sodinokibi-ransomware","description":"Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020."},{"source_name":"Secureworks GandCrab and REvil September 2019","url":"https://www.secureworks.com/blog/revil-the-gandcrab-connection","description":"Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020."}],"modified":"2020-09-22T19:41:27.951Z","description":"(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)","relationship_type":"uses","source_ref":"intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133","target_ref":"malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bffad8de-a807-4216-9753-008a87d9d77f","created":"2023-09-28T19:56:40.730Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:56:40.730Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef","created":"2023-09-28T21:17:47.080Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:17:47.080Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c0efb24a-2329-401a-bba6-817f2867bb3f","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.183Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f","created":"2023-03-10T20:34:55.362Z","revoked":false,"external_references":[{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-10T20:34:55.362Z","description":"In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary suppressed alarm reporting to the central computer.(Citation: Marshall Abrams July 2008)","relationship_type":"uses","source_ref":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","target_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CopyFromScreen .NET","description":"Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.","url":"https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8"},{"source_name":"Antiquated Mac Malware","description":"Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.","url":"https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:38:15.307Z","description":"Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) The data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.","relationship_type":"detects","source_ref":"x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e","target_ref":"attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c137fcd2-ce51-4e17-9c2f-f1aaf9b64ce7","created":"2024-03-28T14:28:47.109Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye TEMP.Veles 2018","description":"FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.","url":"https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-10T15:02:24.842Z","description":"In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) made attempts on multiple victim machines to transfer and execute the WMImplant tool.(Citation: FireEye TEMP.Veles 2018)","relationship_type":"uses","source_ref":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.204Z","relationship_type":"mitigates","description":"Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.\n","source_ref":"course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2","created":"2023-09-29T18:09:02.311Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:09:02.311Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553","created":"2023-09-29T17:09:48.178Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:09:48.178Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5","created":"2023-09-29T16:28:39.397Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:28:39.397Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c233df49-e450-4151-8a0f-1765faf3d75a","created":"2023-09-29T17:08:08.883Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:08:08.883Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2","created":"2023-03-10T20:09:49.009Z","revoked":false,"external_references":[{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-10T20:09:49.009Z","description":"In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)","relationship_type":"uses","source_ref":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f","created":"2023-09-29T17:59:54.204Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:59:54.204Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Department of Homeland Security October 2009","description":"Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-19T21:23:21.586Z","description":"Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n","relationship_type":"mitigates","source_ref":"course-of-action--ad12819e-3211-4291-b360-069f280cff0a","target_ref":"attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac","created":"2021-04-13T12:28:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos Threat Intelligence February 2020","description":"Dragos Threat Intelligence 2020, February 03 EKANS Ransomware and ICS Operations Retrieved. 2021/04/12 ","url":"https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:48:00.088Z","description":"[EKANS](https://attack.mitre.org/software/S0605) masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. (Citation: Dragos Threat Intelligence February 2020)","relationship_type":"uses","source_ref":"malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c37f097a-9698-412f-9e96-4d350bcd2790","created":"2023-09-29T16:44:26.728Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:44:26.728Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608","created":"2023-09-29T18:49:14.639Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:49:14.639Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c4122b58-f1b2-4656-a715-55016700bf75","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:56:39.825Z","description":"[Industroyer](https://attack.mitre.org/software/S0604) automatically collects protocol object data to learn about control devices in the environment. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b","created":"2023-10-02T20:21:06.420Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:21:06.420Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa","created":"2022-09-27T16:35:12.372Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:47:35.207Z","description":"Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.","relationship_type":"detects","source_ref":"x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c4718fa2-2592-44b0-87d0-f866c118a779","created":"2023-09-29T18:07:09.213Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:07:09.213Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:42:42.363Z","description":"Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c4a50132-a210-4093-878d-3d6df23ed26e","created":"2023-09-29T17:10:09.146Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:10:09.146Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37","created":"2023-09-28T20:15:05.405Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:15:05.405Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c4dd7251-ed87-4629-86b5-090e52a82df2","created":"2024-04-09T21:00:32.387Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T21:00:32.387Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Robert Falcone, Bryan Lee May 2016","description":"Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ","url":"https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T16:32:03.970Z","description":"[OilRig](https://attack.mitre.org/groups/G0049) has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.(Citation: Robert Falcone, Bryan Lee May 2016)","relationship_type":"uses","source_ref":"intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c58563a8-d757-4476-8ae2-beb2acce38b3","created":"2023-10-02T20:20:55.473Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:20:55.473Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c596f45a-ad65-4673-b316-05378175f35e","created":"2024-04-09T20:54:19.196Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:54:19.196Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a","created":"2019-03-25T19:13:54.947Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Joe Slowik April 2019","description":"Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ","url":"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:32:08.109Z","description":"[WannaCry](https://attack.mitre.org/software/S0366) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)","relationship_type":"uses","source_ref":"malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd","created":"2023-09-29T18:43:49.839Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:43:49.839Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16","created":"2020-06-10T18:36:54.638Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Trend Micro Cyclops Blink March 2022","description":"Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.","url":"https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"},{"source_name":"NCSC Sandworm Feb 2020","description":"NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.","url":"https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory"},{"source_name":"mandiant_apt44_unearthing_sandworm","description":"Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.","url":"https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"},{"source_name":"US District Court Indictment GRU Unit 74455 October 2020","description":"Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.","url":"https://www.justice.gov/opa/press-release/file/1328521/download"},{"source_name":"Secureworks IRON VIKING ","description":"Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.","url":"https://www.secureworks.com/research/threat-profiles/iron-viking"},{"source_name":"UK NCSC Olympic Attacks October 2020","description":"UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.","url":"https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-08-20T19:05:24.106Z","description":"(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )(Citation: Trend Micro Cyclops Blink March 2022)(Citation: mandiant_apt44_unearthing_sandworm)","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"malware--5719af9d-6b16-46f9-9b28-fb019541ddbb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c5fd0969-c151-4849-94c2-83e2e208cff7","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.168Z","relationship_type":"mitigates","description":"Ensure that wired and/or wireless traffic is encrypted when feasible. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. (Citation: Keith Stouffer May 2015)\n","source_ref":"course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a","target_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:26:20.823Z","description":"Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.\n\nVarious techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Department of Homeland Security October 2009","description":"Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-19T21:23:30.482Z","description":"Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n","relationship_type":"mitigates","source_ref":"course-of-action--ad12819e-3211-4291-b360-069f280cff0a","target_ref":"attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c6520346-fe47-44ce-af75-d99004ac2977","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:17:59.179Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.070Z","relationship_type":"mitigates","description":"Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36","created":"2023-09-28T21:27:50.246Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:27:50.246Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4","created":"2022-05-11T16:22:58.808Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:45:39.703Z","description":"Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c67e3535-69a9-4234-8170-4ad6efc632b7","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.211Z","relationship_type":"mitigates","description":"Implement continuous monitoring of vulnerability sources. Also, use automatic and manual code review tools. (Citation: OWASP)\n","source_ref":"course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037","target_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","external_references":[{"source_name":"OWASP","description":"OWASP Top 10 Web Application Security Risks Retrieved. 2020/09/25 ","url":"https://owasp.org/www-project-top-ten/"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.132Z","relationship_type":"mitigates","description":"Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n","source_ref":"course-of-action--3172222b-4983-43f7-8983-753ded4f13bc","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","external_references":[{"source_name":"Gardiner, J., Cova, M., Nagaraja, S February 2014","description":"Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ","url":"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8","created":"2023-09-29T17:59:11.267Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:59:11.267Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374","created":"2022-09-26T14:35:27.430Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:35:27.430Z","description":"Monitor for new or unexpected connections to controllers, which could indicate an Unauthorized Command Message being sent via [Rogue Master](https://attack.mitre.org/techniques/T0848).","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-23T18:57:08.952Z","description":"In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.186Z","relationship_type":"mitigates","description":"When at rest, project files should be encrypted to prevent unauthorized changes. (Citation: National Institute of Standards and Technology April 2013)\n","source_ref":"course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc","target_ref":"attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722","external_references":[{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ACSC Email Spoofing","description":"Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.","url":"https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf"},{"source_name":"Microsoft Anti Spoofing","description":"Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.","url":"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-05-31T04:18:44.578Z","description":"Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.174Z","relationship_type":"mitigates","description":"Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","external_references":[{"source_name":"Karen Scarfone; Paul Hoffman September 2009","description":"Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ","url":"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"},{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"},{"source_name":"Dwight Anderson 2014","description":"Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ","url":"https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--c8222300-6c5e-42d6-ae67-3595407b89fd","created":"2024-04-09T20:54:39.801Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:54:39.801Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c","created":"2022-05-06T17:47:21.168Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Carl Hurd March 2019","description":"Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ","url":"https://www.youtube.com/watch?v=yuZazP22rpI"},{"source_name":"William Largent June 2018","description":"William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ","url":"https://blog.talosintelligence.com/2018/06/vpnfilter-update.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:31:07.308Z","description":"The [VPNFilter](https://attack.mitre.org/software/S1010)'s ssler module configures the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)","relationship_type":"uses","source_ref":"malware--6108f800-10b8-4090-944e-be579f01263d","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-12T17:00:17.249Z","modified":"2022-05-06T17:47:24.212Z","relationship_type":"mitigates","description":"A supply chain management program should include methods the assess the trustworthiness and technical maturity of a supplier, along with technical methods (e.g., code-signing, bill of materials) needed to validate the integrity of newly obtained devices and components. Develop procurement language that emphasizes the expectations for suppliers regarding the artifacts, audit records, and technical capabilities needed to validate the integrity of the devices supply chain. (Citation: Robert A. Martin January 2021)\n","source_ref":"course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c","target_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","external_references":[{"source_name":"Robert A. Martin January 2021","description":"Robert A. Martin 2021, January TRUSTING OUR SUPPLY CHAINS: A COMPREHENSIVE DATA-DRIVEN APPROACH Retrieved. 2021/04/12 ","url":"https://www.mitre.org/sites/default/files/publications/pr-20-01465-37-trusting-our-supply-chains-a-comprehensive-data-driven-approach.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--c8dd2735-bd04-4413-847d-316b77c6de19","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:23:14.457Z","description":"Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.","relationship_type":"mitigates","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a","created":"2023-09-27T13:22:13.265Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-27T13:25:51.965Z","description":"(Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c9065f74-556d-4728-8072-f96642e70316","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-12T18:59:24.739Z","modified":"2022-05-06T17:47:24.187Z","relationship_type":"mitigates","description":"Access Management technologies can help enforce authentication on critical remote service, examples include, but are not limited to, device management services (e.g., telnet, SSH), data access servers (e.g., HTTP, Historians), and HMI sessions (e.g., RDP, VNC).\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d","created":"2021-04-12T18:49:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureWorks September 2019","description":"SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ","url":"https://www.secureworks.com/research/revil-sodinokibi-ransomware"},{"source_name":"Tom Fakterman August 2019","description":"Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ","url":"https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:06:28.859Z","description":"[REvil](https://attack.mitre.org/software/S0496) sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. (Citation: Tom Fakterman August 2019) (Citation: SecureWorks September 2019)","relationship_type":"uses","source_ref":"malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5","target_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.068Z","relationship_type":"mitigates","description":"Provide an alternative method for alarms to be reported in the event of a communication failure.\n","source_ref":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","target_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--c95850f4-4616-435c-b237-f1985833d40e","created":"2023-09-29T16:29:39.918Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:29:39.918Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c9fb4adb-8064-426a-838d-c93674fb380b","created":"2023-09-29T18:44:38.035Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:44:38.035Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:50:10.284Z","description":"Monitor for processes spawning from known command shell applications (e.g., PowerShell, Bash). Benign activity will need to be allow-listed. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ca13a117-aae0-4802-878b-c09f4a04dd31","created":"2023-09-28T20:06:50.018Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:06:50.018Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ca225ea0-e813-4205-98db-707b474ae24f","created":"2024-04-09T20:49:44.575Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:49:44.575Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Anton Cherepanov, ESET June 2017","description":"Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T19:58:55.128Z","description":"[Industroyer](https://attack.mitre.org/software/S0604)'s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. (Citation: Anton Cherepanov, ESET June 2017)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ca5c7ae7-5273-4888-bc50-183d6e200972","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.105Z","relationship_type":"mitigates","description":"Built-in browser sandboxes and application isolation may be used to contain web-based malware.\n","source_ref":"course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ca64a927-f050-41b3-80d3-93d22cdef26a","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.081Z","relationship_type":"mitigates","description":"Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n","source_ref":"course-of-action--d0909119-2f71-4923-87db-b649881672d7","target_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ca768c2a-0f14-471c-90a5-bce649e88d51","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.105Z","relationship_type":"mitigates","description":"Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Carl Hurd March 2019","description":"Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ","url":"https://www.youtube.com/watch?v=yuZazP22rpI"},{"source_name":"William Largent June 2018","description":"William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ","url":"https://blog.talosintelligence.com/2018/06/vpnfilter-update.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:31:19.732Z","description":"The [VPNFilter](https://attack.mitre.org/software/S1010) packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)","relationship_type":"uses","source_ref":"malware--6108f800-10b8-4090-944e-be579f01263d","target_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b","type":"relationship","created":"2021-10-04T20:52:20.304Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"ESET Lazarus KillDisk April 2018","description":"Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.","url":"https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/"}],"modified":"2021-10-04T20:54:09.057Z","description":"(Citation: ESET Lazarus KillDisk April 2018)","relationship_type":"uses","source_ref":"intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340","target_ref":"malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:48:12.637Z","description":"Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device.\n","relationship_type":"mitigates","source_ref":"course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034","created":"2021-04-13T11:15:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:18:37.808Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd","created":"2023-09-28T21:14:29.099Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:14:29.099Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.219Z","relationship_type":"mitigates","description":"Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP).\n","source_ref":"course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc","target_ref":"attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794","created":"2023-03-30T14:08:42.386Z","revoked":false,"external_references":[{"source_name":"M. Rentschler and H. Heine","description":"M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ","url":"https://ieeexplore.ieee.org/document/6505877"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T14:08:42.386Z","description":"Retain cold-standby or replacement hardware of similar models to ensure continued operations of critical functions if the primary system is compromised or unavailable. (Citation: M. Rentschler and H. Heine)","relationship_type":"mitigates","source_ref":"course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd","target_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cba8313b-c338-45f7-88ef-a514094882ac","created":"2022-09-28T20:28:39.348Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.446Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to exploit a vulnerable Asrock driver (AsrDrv103.sys) using CVE-2020-15368 to load its own unsigned driver on the system.(Citation: Wylie-22)","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d","created":"2024-04-09T20:54:26.301Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:54:26.301Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749","created":"2023-10-20T17:05:25.595Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-20T17:05:25.595Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a","created":"2023-09-29T16:30:08.166Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:30:08.166Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--cca191a1-3c50-4d4f-8f79-4247e58af610","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.146Z","relationship_type":"mitigates","description":"Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.\n","source_ref":"course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c","created":"2022-09-27T15:34:07.320Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T15:34:07.320Z","description":"Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host’s GUI.","relationship_type":"detects","source_ref":"x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1","target_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67","created":"2021-04-13T11:15:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:19:13.497Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ccbb44ad-2220-4260-99ce-9142c44fc797","created":"2023-09-28T21:10:03.272Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:10:03.272Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7","created":"2021-04-13T12:08:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Jos Wetzels January 2018","description":"Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ","url":"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:28:11.304Z","description":"[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, changes the function pointer of the 'get main processor diagnostic data' TriStation command to the address of imain.bin so that it is executed prior to the normal handler. (Citation: Jos Wetzels January 2018)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.072Z","relationship_type":"mitigates","description":"Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2","created":"2023-09-28T20:15:56.470Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:15:56.470Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cd6f1ca4-aaec-451d-b855-55cdb0c3dde8","created":"2024-03-28T14:27:34.578Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Triton-EENews-2017","description":"Blake Sobczak. (2019, March 7). The inside story of the world’s most dangerous malware. Retrieved March 25, 2024.","url":"https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/"},{"source_name":"FireEye TRITON 2018","description":"Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.","url":"https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-10T15:02:44.848Z","description":"In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) utilized remote desktop protocol (RDP) jump boxes, poorly configured OT firewalls (Citation: Triton-EENews-2017), along with other traditional malware backdoors, to move into the ICS environment.(Citation: FireEye TRITON 2018)(Citation: Triton-EENews-2017)","relationship_type":"uses","source_ref":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T19:12:25.664Z","description":"Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986","created":"2023-09-29T16:31:36.462Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:31:36.462Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb","type":"relationship","created":"2021-01-20T21:03:13.436Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"US District Court Indictment GRU Unit 74455 October 2020","url":"https://www.justice.gov/opa/press-release/file/1328521/download","description":"Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."},{"source_name":"Secureworks IRON VIKING ","url":"https://www.secureworks.com/research/threat-profiles/iron-viking","description":"Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."}],"modified":"2022-02-28T17:02:50.467Z","description":"(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Secureworks IRON VIKING )","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.207Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a","created":"2022-09-26T14:37:45.140Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:37:45.140Z","description":"Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.","relationship_type":"detects","source_ref":"x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9","created":"2022-09-23T16:36:40.950Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T15:50:45.583Z","description":"Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs and tasks. Data from these platforms can be used to identify modified controller tasking.","relationship_type":"detects","source_ref":"x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d","target_ref":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d","created":"2023-09-29T16:29:16.222Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:29:16.222Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-28T18:44:20.611Z","description":"Monitor for unexpected ICS protocol functions from new and existing devices. Monitoring known devices requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cf8a816c-30ee-4147-a48f-d797fb145a04","created":"2023-09-29T17:43:10.828Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:43:10.829Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.216Z","relationship_type":"mitigates","description":"The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n","source_ref":"course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185","created":"2023-09-28T21:15:44.547Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:15:44.547Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cfcbca89-8912-40c0-ac15-47882162b132","created":"2022-05-11T16:22:58.808Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T19:00:16.899Z","description":"Monitor application logs for new or unexpected devices or sessions on wireless networks.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab","created":"2023-10-02T20:22:25.770Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:22:25.770Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d03de729-9235-4ceb-a1c0-935e2088020b","created":"2023-09-28T21:29:12.533Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:29:12.533Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d08fdedd-12f6-4681-9167-70d070432dee","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.208Z","relationship_type":"mitigates","description":"Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--d1388bba-9869-4e3e-a6c9-430784ad924d","created":"2023-09-27T14:59:13.988Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.267Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), operators were shut out of their equipment either through the denial of peripheral use or the degradation of equipment. Operators were therefore unable to recover from the incident through their traditional means. Much of the power was restored manually. (Citation: Ukraine15 - EISAC - 201603)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d16e8909-d055-4174-aeb1-22c0613b2f73","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T13:53:55.028Z","description":"Disable unnecessary legacy network protocols that may be used for AiTM if applicable.\n","relationship_type":"mitigates","source_ref":"course-of-action--d0909119-2f71-4923-87db-b649881672d7","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d1971b32-3a15-4544-9f36-80c05121deb6","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.160Z","relationship_type":"mitigates","description":"All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--d1a97502-b41d-40a8-aff5-13367fefc642","created":"2023-09-28T21:21:45.003Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:21:45.003Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896","created":"2023-09-29T16:28:52.111Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:28:52.111Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.086Z","relationship_type":"mitigates","description":"Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n","source_ref":"course-of-action--da44255d-85c5-492c-baf3-ee823d44f848","target_ref":"attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--d23fd724-563d-4f49-8bcd-09c653728cd3","created":"2023-09-28T21:28:00.462Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:28:00.462Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242","created":"2023-09-28T19:53:20.304Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:53:20.304Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d2a434c7-4428-435e-ae6b-e54012f29606","created":"2023-09-25T20:43:52.987Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:43:52.987Z","description":"All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.","relationship_type":"mitigates","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af","created":"2022-09-27T16:08:15.473Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T16:08:15.473Z","description":"Monitor device application logs that indicate the program has changed, although not all devices produce such logs.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Robert Falcone, Bryan Lee May 2016","description":"Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ","url":"https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T16:32:31.072Z","description":"[OilRig](https://attack.mitre.org/groups/G0049) communicated with its command and control using HTTP requests. (Citation: Robert Falcone, Bryan Lee May 2016)","relationship_type":"uses","source_ref":"intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d","target_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999","created":"2023-09-29T18:49:54.378Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:49:54.378Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72","created":"2023-09-28T19:38:27.199Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:38:27.199Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.227Z","relationship_type":"mitigates","description":"Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers).\n","source_ref":"course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--d3d4f469-9847-41ef-a478-5eaf6003d483","created":"2023-10-02T20:23:00.405Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:23:00.405Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:49:29.157Z","description":"Monitor asset log which may provide information that an asset has been placed into Firmware Update Mode. Some assets may log firmware updates themselves without logging that the device has been placed into update mode.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d455330d-f190-4854-8087-4c2c37003b45","created":"2023-09-29T17:39:29.897Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:39:29.897Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d48894cb-457e-4a81-82b4-2d735aea5128","created":"2023-09-28T19:50:56.496Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:50:56.496Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d4968f45-d06b-4843-8f72-6e08beb94cab","type":"relationship","created":"2017-05-31T21:33:27.070Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Symantec Dragonfly","description":"Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.","url":"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"},{"source_name":"Gigamon Berserk Bear October 2021","url":"https://vblocalhost.com/uploads/VB2021-Slowik.pdf","description":"Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."}],"modified":"2021-12-07T18:39:07.922Z","description":"(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)","relationship_type":"uses","source_ref":"intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1","target_ref":"malware--083bb47b-02c8-4423-81a2-f9ef58572974","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d4da5e90-7986-4c8a-bfb6-df4c0586ce87","created":"2024-03-27T20:48:27.536Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Mandiant-Sandworm-Ukraine-2022","description":"Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.","url":"https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-17T15:20:33.849Z","description":"During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used existing hypervisor access to map an ISO image named `a.iso` to a virtual machine running a SCADA server. The SCADA server’s operating system was configured to autorun CD-ROM images, and as a result, a malicious VBS script on the ISO image was automatically executed.(Citation: Mandiant-Sandworm-Ukraine-2022)","relationship_type":"uses","source_ref":"campaign--df8eb785-70f8-4300-b444-277ba849083d","target_ref":"attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a","created":"2019-03-25T19:13:54.947Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Joe Slowik April 2019","description":"Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ","url":"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:32:23.717Z","description":"[WannaCry](https://attack.mitre.org/software/S0366) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)","relationship_type":"uses","source_ref":"malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d58d8b19-90bc-4a7f-840d-076be296ff20","created":"2023-09-29T17:09:01.803Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:09:01.803Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a","created":"2023-09-28T19:43:49.584Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:43:49.584Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d","created":"2023-09-29T17:38:17.313Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:38:17.313Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0","created":"2023-09-29T17:08:23.682Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:08:23.682Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d648b3c7-77d2-42f3-a367-620621b714ab","created":"2023-09-28T21:11:29.314Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:11:29.314Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d67ae959-9014-4501-b963-42bee03a5e3b","created":"2024-03-25T20:09:34.908Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Jamie Tarabay and Katrina Manson December 2023","description":"Jamie Tarabay and Katrina Manson. (2023, December 22). Iranian-Linked Hacks Expose Failure to Safeguard US Water System. Retrieved March 25, 2024.","url":"https://www.bloomberg.com/news/articles/2023-12-22/iranian-linked-hacks-expose-failure-to-safeguard-us-water-system"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:12:52.735Z","description":"During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) caused multiple businesses to halt operations in their industrial environments, impacting their typical business operations. These victims covered multiple sectors.(Citation: Jamie Tarabay and Katrina Manson December 2023)","relationship_type":"uses","source_ref":"campaign--8fda050f-470d-4401-994e-35c1a6c301de","target_ref":"attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.209Z","relationship_type":"mitigates","description":"When available utilize hardware and software root-of-trust to verify the authenticity of a system. This may be achieved through cryptographic means, such as digital signatures or hashes, of critical software and firmware throughout the supply chain.\n","source_ref":"course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a","target_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:31:22.665Z","description":"Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.","relationship_type":"detects","source_ref":"x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d72e7d01-56be-4fbd-8957-3384533ba83b","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Jos Wetzels January 2018","description":"Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ","url":"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:28:23.911Z","description":"[Triton](https://attack.mitre.org/software/S1009) leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes. (Citation: Jos Wetzels January 2018)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de","created":"2023-09-29T18:48:41.176Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:48:41.176Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5","created":"2023-09-28T20:29:50.745Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:29:50.745Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d7ea83fa-87c7-4d36-96d5-aee554504040","created":"2017-05-31T21:33:27.074Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Marc-Etienne M.Lveill October 2017","description":"Marc-Etienne M.Lveill 2017, October 24 Bad Rabbit: NotPetya is back with improved ransomware Retrieved. 2019/10/27 ","url":"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:31:02.075Z","description":"Several transportation organizations in Ukraine have suffered from being infected by [Bad Rabbit](https://attack.mitre.org/software/S0606), resulting in some computers becoming encrypted, according to media reports. (Citation: Marc-Etienne M.Lveill October 2017)","relationship_type":"uses","source_ref":"malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a","target_ref":"attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18","created":"2023-09-29T16:46:01.992Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:46:01.992Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017","description":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ","url":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:28:39.359Z","description":"[Triton](https://attack.mitre.org/software/S1009) has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d854cc38-adf7-485d-96b5-70606f6cb87e","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:24:28.935Z","description":"Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.","relationship_type":"mitigates","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d8911566-f622-4a01-b765-514dbbfd8201","created":"2022-09-28T20:27:01.345Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.447Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can deploy Tcpdump to sniff network traffic and collect PCAP files.(Citation: Wylie-22) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa","created":"2023-09-28T21:14:51.778Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:14:51.778Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d8f45959-e0fc-4b4f-a074-a3acea926300","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.194Z","relationship_type":"mitigates","description":"Consider the disabling of features such as AutoRun.\n","source_ref":"course-of-action--d0909119-2f71-4923-87db-b649881672d7","target_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--d8f95008-33c9-4572-9916-023d8de449b1","created":"2023-09-29T18:04:16.785Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:04:16.785Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ICS-CERT August 2018","description":"ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ","url":"https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:23:33.379Z","description":"The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. (Citation: ICS-CERT August 2018)","relationship_type":"uses","source_ref":"malware--083bb47b-02c8-4423-81a2-f9ef58572974","target_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d90b1271-a90d-41c7-9df7-bec47880c82e","created":"2022-09-27T15:33:46.485Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T15:33:46.485Z","description":"Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host’s GUI.","relationship_type":"detects","source_ref":"x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5","target_ref":"attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:35:32.480Z","description":"[BlackEnergy](https://attack.mitre.org/software/S0089) targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. (Citation: Booz Allen Hamilton)\n","relationship_type":"uses","source_ref":"malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d96788b4-55dd-48df-bb9b-83b33ca24813","created":"2023-09-28T19:55:22.376Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:55:22.376Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d9de58a6-58fd-499c-ba7d-588239297179","created":"2023-09-29T16:42:31.464Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:42:31.464Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5","created":"2023-09-28T19:51:11.687Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:51:11.687Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a","created":"2023-09-29T16:42:53.226Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:42:53.226Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0","created":"2023-09-29T18:06:57.332Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:06:57.332Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--da987131-bf37-4730-9914-323879d2b5c3","created":"2023-09-28T20:34:11.025Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:34:11.025Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8","created":"2023-09-28T19:44:22.801Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:44:22.801Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dadfed22-d70c-482b-9026-964396d75484","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:42:28.053Z","description":"Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--db46e84f-435e-4022-b484-e6d2e253660c","created":"2023-09-29T18:06:13.468Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:06:13.468Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a","created":"2022-09-30T15:34:29.316Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-30T15:34:29.316Z","description":"Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dbcc492c-782e-4418-8373-dbc7a76498b0","created":"2023-09-29T17:45:35.293Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:45:35.293Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.170Z","relationship_type":"mitigates","description":"Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--dc35c44a-a90c-48a1-8811-af2618216e42","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-17T16:45:08.648Z","description":"Use strong multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials. Be aware of multi-factor authentication interception techniques for some implementations.\n","relationship_type":"mitigates","source_ref":"course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.218Z","relationship_type":"mitigates","description":"Filter for protocols and payloads associated with firmware activation or updating activity.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f","created":"2023-09-29T18:06:35.470Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:06:35.470Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dda29418-9570-405a-b7db-97e951e5aa53","created":"2022-09-26T19:36:13.409Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:35:58.409Z","description":"Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dda89758-9d0b-446d-b594-85acc7f9cb90","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Department of Homeland Security October 2009","description":"Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-19T21:23:40.524Z","description":"Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n","relationship_type":"mitigates","source_ref":"course-of-action--ad12819e-3211-4291-b360-069f280cff0a","target_ref":"attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--dded2d68-35c7-42c4-af10-efe7731673e3","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.108Z","relationship_type":"mitigates","description":"All APIs on remote systems or local processes should require the authentication of users before executing any code or system changes.\n","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--de8b8a69-5f08-421a-96f0-2bed5707508d","created":"2022-05-11T16:22:58.808Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nzyme Alerts Intro","description":"Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.","url":"https://www.nzyme.org/docs/alerts/intro"},{"source_name":"Wireless Intrusion Detection","description":"Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.","url":"https://apps.dtic.mil/sti/pdfs/ADA466332.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T18:57:13.322Z","description":"New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dead5325-7efe-4dcc-bf78-42b9190f74da","created":"2023-09-29T16:46:40.272Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:46:40.272Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--deb83319-bc5a-4b9b-a44a-bd369b899601","created":"2024-03-25T20:18:12.056Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-25T20:18:12.056Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--def57041-6bb4-453a-bf04-188b9e97a35d","created":"2023-09-28T21:26:34.603Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:26:34.603Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--df321d74-25d6-42da-80e8-3c9a291cb471","created":"2023-09-28T19:57:41.602Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:57:41.602Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T16:46:30.174Z","description":"Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n","relationship_type":"mitigates","source_ref":"course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a","target_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--df7b521e-4496-432f-a61d-3094d0c7bc23","created":"2023-09-29T17:58:26.994Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:58:26.994Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--df80e2b6-5672-4f26-a19c-a394f3731f24","created":"2023-09-28T19:48:48.649Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:48:48.649Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--df88d021-cb8e-482d-9260-445d0a0244ac","created":"2024-03-27T19:51:10.097Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Mandiant-Sandworm-Ukraine-2022","description":"Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.","url":"https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-17T15:20:41.991Z","description":"During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged the SCIL-API on the MicroSCADA platform to execute commands through the `scilc.exe` binary.(Citation: Mandiant-Sandworm-Ukraine-2022)","relationship_type":"uses","source_ref":"campaign--df8eb785-70f8-4300-b444-277ba849083d","target_ref":"attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--df95c619-33ee-4484-934a-78857717323e","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T19:18:47.783Z","description":"Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da","created":"2023-09-28T20:11:11.658Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:11:11.658Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dfb20521-91c2-4f55-b92a-dab959759b78","created":"2023-09-29T18:03:38.874Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:03:38.874Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:23:18.048Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:45:37.289Z","description":"Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of [Valid Accounts](https://attack.mitre.org/techniques/T0859).","relationship_type":"detects","source_ref":"x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.227Z","relationship_type":"mitigates","description":"Prevent the use of unsigned executables, such as installers and scripts.\n","source_ref":"course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca","created":"2022-09-27T15:42:39.964Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:43:48.288Z","description":"Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.","relationship_type":"detects","source_ref":"x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1","target_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e0aee02c-b424-4781-be10-793d71594c31","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Daavid Hentunen, Antti Tikkanen June 2014","description":"Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ","url":"https://www.f-secure.com/weblog/archives/00002718.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:23:47.107Z","description":"The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through a trojanized installer attached to emails. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)","relationship_type":"uses","source_ref":"malware--083bb47b-02c8-4423-81a2-f9ef58572974","target_ref":"attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.123Z","relationship_type":"mitigates","description":"Update software regularly by employing patch management for internal enterprise endpoints and servers.\n","source_ref":"course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb","created":"2023-03-10T20:08:40.601Z","revoked":false,"external_references":[{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-10T20:08:40.601Z","description":"In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary temporarily shut an investigator out of the network, preventing them from viewing the state of the system.(Citation: Marshall Abrams July 2008)","relationship_type":"uses","source_ref":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","target_ref":"attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e","created":"2023-09-28T19:42:54.009Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:42:54.009Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:40:47.334Z","description":"Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\". For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.","relationship_type":"detects","source_ref":"x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14","created":"2023-03-31T17:44:45.164Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos Crashoverride 2018","description":"Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.","url":"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-07T17:54:45.912Z","description":"During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) transferred executable files as .txt and then renamed them to .exe, likely to avoid detection through extension tracking.(Citation: Dragos Crashoverride 2018)","relationship_type":"uses","source_ref":"campaign--aa73efef-1418-4dbe-b43c-87a498e97234","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74","created":"2023-09-29T17:08:48.251Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:08:48.251Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e18af08c-3953-4b1d-b46c-45572fdb5187","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T19:02:08.013Z","description":"Monitor operational data for indicators of temporary data loss which may indicate a Denial of Service. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.","relationship_type":"detects","source_ref":"x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95","target_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4","created":"2023-09-28T20:09:07.381Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:09:07.381Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e257913e-40ba-4a05-ba97-0c3175c966b5","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"},{"source_name":"Langer Stuxnet","description":"Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.","url":"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-17T16:01:04.366Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions. (Citation: Langer Stuxnet) (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e323dee4-a896-4a82-85f5-d51d311b0437","created":"2021-04-12T18:49:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Max Heinemeyer February 2020","description":"Max Heinemeyer 2020, February 21 Post-mortem of a targeted Sodinokibi ransomware attack Retrieved. 2021/04/12 ","url":"https://www.darktrace.com/en/blog/post-mortem-of-a-targeted-sodinokibi-ransomware-attack/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:06:56.076Z","description":"[REvil](https://attack.mitre.org/software/S0496) uses the SMB protocol to encrypt files located on remotely connected file shares. (Citation: Max Heinemeyer February 2020)","relationship_type":"uses","source_ref":"malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00","created":"2022-09-28T20:25:51.024Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos-Pipedream","description":"DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.","url":"https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en"},{"source_name":"Wylie-22","description":"Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.","url":"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"},{"source_name":"Brubaker-Incontroller","description":"Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.","url":"https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-13T16:53:47.448Z","description":"[INCONTROLLER](https://attack.mitre.org/software/S1045) can wipe the memory of Omron PLCs and reset settings through the remote HTTP service.(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Wylie-22) ","relationship_type":"uses","source_ref":"malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b","target_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e3b04152-0c90-41ff-a333-c5163fa9714f","created":"2023-09-29T17:41:22.619Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:41:22.619Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e41a04fe-a142-4294-a9f2-576214e1f985","created":"2024-04-09T20:48:04.616Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:48:04.616Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e434db5d-f201-4411-825f-4a50e1e78c75","created":"2023-09-29T17:06:20.834Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:06:20.834Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc","created":"2023-09-29T18:49:44.351Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:49:44.351Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e4a11381-8608-4c71-966f-df0cbb834fe0","created":"2022-09-30T15:35:09.660Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:51:08.392Z","description":"Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972","created":"2023-09-29T16:45:33.777Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:45:33.777Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a","created":"2024-04-09T21:00:11.159Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T21:00:11.159Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","target_ref":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--e5afc447-a241-4773-9a8a-3d6fd205d926","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.106Z","relationship_type":"mitigates","description":"Utilize exploit protection to prevent activities which may be exploited through malicious web sites.\n","source_ref":"course-of-action--49363b74-d506-4342-bd63-320586ebadb9","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506","created":"2022-05-11T16:22:58.806Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:52:04.484Z","description":"Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment.","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454","created":"2023-10-02T20:17:51.320Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:17:51.320Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--e607bb66-e53f-4684-b3f1-36a997e27d01","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.087Z","relationship_type":"mitigates","description":"Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n","source_ref":"course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401","target_ref":"attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916","external_references":[{"source_name":"A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004","description":"A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ","url":"https://www.icheme.org/media/9906/xviii-paper-23.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb","created":"2023-09-28T20:30:32.778Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:30:32.778Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:42:45.693Z","description":"All field controllers should restrict the modification of parameter values to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. They should also restrict online edits and enable write protection for parameters. \n","relationship_type":"mitigates","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.081Z","relationship_type":"mitigates","description":"Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9","created":"2023-09-28T19:42:16.270Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:42:16.270Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.109Z","relationship_type":"mitigates","description":"Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux.\n","source_ref":"course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea","target_ref":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--e78ff18e-c919-4145-b8b8-540ae7dc94d2","created":"2024-03-26T15:40:53.801Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T15:40:53.801Z","description":"Monitor for newly constructed drive letters or mount points to removable media. ","relationship_type":"detects","source_ref":"x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f","target_ref":"attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2","created":"2023-09-29T16:45:20.769Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:45:20.769Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42","created":"2023-09-29T16:39:41.736Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:39:41.736Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.097Z","relationship_type":"mitigates","description":"Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n","source_ref":"course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd","target_ref":"attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac","external_references":[{"source_name":"M. Rentschler and H. Heine","description":"M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ","url":"https://ieeexplore.ieee.org/document/6505877"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.104Z","relationship_type":"mitigates","description":"All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:46:16.720Z","description":"When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.088Z","relationship_type":"mitigates","description":"Minimize permissions and access for service accounts to limit the information that may be impacted by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n","source_ref":"course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5","target_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","external_references":[{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8","created":"2023-09-28T19:50:30.312Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:50:30.312Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e915e12c-3d0c-4f60-b119-9414940abb0b","created":"2023-09-28T20:08:27.145Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:08:27.145Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42","created":"2023-09-28T19:45:18.672Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:45:18.672Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e98892d6-e036-4140-adbb-2932dba51a19","created":"2023-09-28T20:08:09.519Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:08:09.519Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e9f5096e-b9fc-459a-a303-88763b1269cc","type":"relationship","created":"2020-05-14T14:41:42.975Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.","url":"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html","source_name":"FireEye FIN6 Apr 2019"}],"modified":"2020-05-15T19:15:35.568Z","description":"(Citation: FireEye FIN6 Apr 2019)","relationship_type":"uses","source_ref":"intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb","target_ref":"malware--a020a61c-423f-4195-8c46-ba1d21abba37","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ea50253a-3220-458b-b810-ad032f2b182f","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"DHS CISA February 2019","description":"DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ","url":"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"},{"source_name":"ICS-CERT December 2018","description":"ICS-CERT 2018, December 18 Advisory (ICSA-18-107-02) - Schneider Electric Triconex Tricon (Update B) Retrieved. 2019/03/08 ","url":"https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02"},{"source_name":"Schneider Electric January 2018","description":"Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ","url":"https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s"},{"source_name":"The Office of Nuclear Reactor Regulation","description":"The Office of Nuclear Reactor Regulation Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 Triconex Topical Report 7286-545-1 Retrieved. 2018/05/30 ","url":"https://www.nrc.gov/docs/ML1209/ML120900890.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:28:54.342Z","description":"[Triton](https://attack.mitre.org/software/S1009) disables a firmware RAM/ROM consistency check after injects a payload (imain.bin) into the firmware memory region. (Citation: DHS CISA February 2019) (Citation: ICS-CERT December 2018) (Citation: Schneider Electric January 2018) Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration. (Citation: The Office of Nuclear Reactor Regulation)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:51:47.079Z","description":"Monitor ICS automation protocols for functions that restart or shutdown a device. Commands to restart or shutdown devices may also be observable in traditional IT management protocols.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ea817c7a-9424-4204-90a5-6f8fb86037be","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.230Z","relationship_type":"mitigates","description":"Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n","source_ref":"course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4","created":"2023-09-29T17:38:59.611Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:38:59.611Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.101Z","relationship_type":"mitigates","description":"Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960","created":"2023-09-28T20:28:52.768Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:28:52.768Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53","created":"2023-09-28T20:05:15.314Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:05:15.314Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026","created":"2021-10-08T15:25:32.143Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:20:42.055Z","description":"[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:42:04.422Z","description":"Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing.","relationship_type":"detects","source_ref":"x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b","created":"2023-09-28T19:44:09.311Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:44:09.311Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f","created":"2021-10-08T15:42:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos Inc. June 2017","description":"Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ","url":"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:01:24.078Z","description":"[Sandworm Team](https://attack.mitre.org/groups/G0034) establishes an internal proxy prior to the installation of backdoors within the network. (Citation: Dragos Inc. June 2017)","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eb5310c6-7500-4b16-8ca7-6678c6232001","created":"2023-09-29T19:36:38.824Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T19:36:38.824Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.175Z","relationship_type":"mitigates","description":"Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0","created":"2023-09-29T17:09:37.977Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:09:37.977Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.177Z","relationship_type":"mitigates","description":"Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643","created":"2023-09-28T21:25:48.379Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:25:48.379Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.139Z","relationship_type":"mitigates","description":"Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n","source_ref":"course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e","target_ref":"attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36","external_references":[{"source_name":"National Institute of Standards and Technology April 2013","description":"National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--ed095993-bc85-431e-9621-437143f16d44","created":"2023-09-29T17:44:09.285Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:44:09.285Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ed3ce006-cf41-46f6-bd86-054314c130dc","created":"2023-09-28T21:15:57.120Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:15:57.120Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ed3ef546-566a-46c7-918e-7bfa10d05991","created":"2023-09-29T17:06:47.370Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:06:47.370Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ed66e087-8877-4146-a16a-44cfd144a3d8","created":"2023-09-29T17:07:00.450Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:07:00.450Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ed8b97e2-5966-4844-a636-524541a46e43","created":"2023-09-29T16:39:18.448Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:39:18.448Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb","created":"2023-09-29T16:39:29.206Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:39:29.206Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6","created":"2022-09-27T16:56:30.665Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:39:41.897Z","description":"Monitor for newly constructed scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.","relationship_type":"detects","source_ref":"x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b","created":"2023-09-29T17:58:54.996Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:58:54.996Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1","created":"2023-09-28T21:12:00.004Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:12:00.004Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--edf73653-b2d7-422f-b433-b6a428ff12d4","created":"2017-05-31T21:33:27.074Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017","description":"Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ","url":"https://securelist.com/bad-rabbit-ransomware/82851/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:31:21.210Z","description":"[Bad Rabbit](https://attack.mitre.org/software/S0606) is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)","relationship_type":"uses","source_ref":"malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2","created":"2023-09-29T17:58:04.082Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:58:04.082Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:44:27.451Z","description":"Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e","created":"2021-04-12T18:49:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Tom Fakterman August 2019","description":"Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ","url":"https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:07:33.947Z","description":"[REvil](https://attack.mitre.org/software/S0496) utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware. (Citation: Tom Fakterman August 2019)","relationship_type":"uses","source_ref":"malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5","target_ref":"attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:35:50.632Z","description":"[BlackEnergy](https://attack.mitre.org/software/S0089) utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. (Citation: Booz Allen Hamilton)\n","relationship_type":"uses","source_ref":"malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97","created":"2023-09-28T20:05:33.450Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:05:33.450Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ee89466e-0655-4217-844d-fb8ea4f76247","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.065Z","relationship_type":"mitigates","description":"Filter for protocols and payloads associated with firmware activation or updating activity.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6","created":"2023-09-28T20:04:07.868Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:04:07.868Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Department of Homeland Security October 2009","description":"Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-19T21:23:52.947Z","description":"Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n","relationship_type":"mitigates","source_ref":"course-of-action--ad12819e-3211-4291-b360-069f280cff0a","target_ref":"attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.231Z","relationship_type":"mitigates","description":"Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. (Citation: Keith Stouffer May 2015) (Citation: Schweitzer Engineering Laboratories August 2015)\n","source_ref":"course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","external_references":[{"source_name":"Keith Stouffer May 2015","description":"Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"Schweitzer Engineering Laboratories August 2015","description":"Schweitzer Engineering Laboratories 2015, August Understanding When to Use LDAP or RADIUS for Centralized Authentication Retrieved. 2020/09/25 ","url":"https://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8","created":"2023-09-28T21:11:45.241Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:11:45.241Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--eeeff03f-7436-4f76-8591-42075e6647d4","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.076Z","relationship_type":"mitigates","description":"All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.\n","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3","created":"2023-09-28T19:54:48.577Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:54:48.577Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Symantec Security Response July 2014","description":"Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ","url":"https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries."}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T16:12:48.097Z","description":"[Dragonfly](https://attack.mitre.org/groups/G0035) trojanized legitimate ICS equipment providers software packages available for download on their websites.(Citation: Symantec Security Response July 2014)","relationship_type":"uses","source_ref":"intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1","target_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--efb80069-e4be-4055-bd34-06d1376b4601","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.109Z","relationship_type":"mitigates","description":"Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4","external_references":[{"source_name":"McCarthy, J et al. July 2018","description":"McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ","url":"https://doi.org/10.6028/NIST.SP.1800-2"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0","created":"2023-09-29T16:39:09.447Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:39:09.447Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f05a2592-00f9-4f1f-ba55-395af5444b96","created":"2023-09-29T17:42:29.179Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:42:29.179Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f08d487a-7837-48f9-9301-fe0f9f144c92","created":"2023-09-28T20:31:04.691Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:31:04.691Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.160Z","relationship_type":"mitigates","description":"Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a","target_ref":"attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:21:24.221Z","description":"When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, [Stuxnet](https://attack.mitre.org/software/S0603) prevents an operator from noticing unauthorized commands sent to the peripheral. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-12T18:59:17.429Z","modified":"2022-05-06T17:47:24.189Z","relationship_type":"mitigates","description":"Filter application-layer protocol messages for remote services to block any unauthorized activity.\n","source_ref":"course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17","target_ref":"attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d","created":"2023-09-29T18:45:34.258Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:45:34.258Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb","created":"2023-09-28T21:23:01.421Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:23:01.421Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f130282b-f681-455f-966b-55829842be92","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Langer Stuxnet","description":"Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.","url":"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-17T16:00:06.894Z","description":"One of [Stuxnet](https://attack.mitre.org/software/S0603)'s rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged. (Citation: Langer Stuxnet)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8","created":"2023-09-28T21:24:22.815Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:24:22.815Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f145b7e5-048b-46e7-8439-e2b88917523c","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:48:47.595Z","description":"Monitor alarms for information about when an operating mode is changed, although not all devices produce such logs.","relationship_type":"detects","source_ref":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","target_ref":"attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f15f24d2-e581-46ce-83e4-a924f572aae6","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.065Z","relationship_type":"mitigates","description":"Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","external_references":[{"source_name":"Department of Homeland Security September 2016","description":"Department of Homeland Security 2016, September Retrieved. 2020/09/25 ","url":"https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--f19c34b2-ef3a-4581-b604-6639f501e32f","created":"2023-10-02T20:20:32.163Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:20:32.163Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704","created":"2023-09-29T17:07:38.219Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:07:38.219Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b52870cc-83f3-473c-b895-72d91751030b","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.150Z","relationship_type":"mitigates","description":"All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n","source_ref":"course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3","target_ref":"attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--f29ecf69-1753-44bb-9b80-1025f49cadda","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Nicolas Falliere, Liam O Murchu, Eric Chien February 2011","description":"Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ","url":"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-20T21:24:02.276Z","description":"DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious [Stuxnet](https://attack.mitre.org/software/S0603) block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. The replaced DP_RECV block (later on referred to as the DP_RECV monitor) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)","relationship_type":"uses","source_ref":"malware--088f1d6e-0783-47c6-9923-9c79b2af43d4","target_ref":"attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:38:17.130Z","description":"Monitor for loss of expected operational process alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.","relationship_type":"detects","source_ref":"x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e","target_ref":"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"McAfee CHIPSEC Blog","description":"Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.","url":"https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/"},{"source_name":"MITRE Copernicus","description":"Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.","url":"http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about"},{"source_name":"Intel HackingTeam UEFI Rootkit","description":"Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.","url":"http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"},{"source_name":"Github CHIPSEC","description":"Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.","url":"https://github.com/chipsec/chipsec"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:48:28.074Z","description":"Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)","relationship_type":"detects","source_ref":"x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f347b4fe-d829-427d-851a-fff3393441db","created":"2021-04-12T07:57:26.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Joe Slowik August 2019","description":"Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ","url":"https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-14T20:00:00.650Z","description":"[Industroyer](https://attack.mitre.org/software/S0604) contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. (Citation: Joe Slowik August 2019)","relationship_type":"uses","source_ref":"malware--e401d4fe-f0c9-44f0-98e6-f93487678808","target_ref":"attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b","created":"2023-09-28T21:23:51.038Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:23:51.038Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba","created":"2023-03-30T14:11:33.618Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T14:11:33.618Z","description":"Monitor for device credential changes observable in automation or management network protocols.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2021-04-13T12:08:26.506Z","modified":"2022-05-06T17:47:24.118Z","relationship_type":"mitigates","description":"Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n","source_ref":"course-of-action--d48b79b2-076d-483e-949c-0d38aa347499","target_ref":"attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--f45c2df8-30e7-45d0-8067-7b2870767574","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:28:22.574Z","description":"All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.091Z","relationship_type":"mitigates","description":"Develop and publish policies that define acceptable information to be stored in repositories.\n","source_ref":"course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba","target_ref":"attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1","created":"2023-09-28T19:49:56.464Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:49:56.464Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:33:51.166Z","description":"Monitor for new master devices communicating with outstation assets, which may be visible in asset application logs.","relationship_type":"detects","source_ref":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","target_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f531e763-3550-40ba-a6a1-81e208ca12c6","created":"2023-09-29T16:41:06.217Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:41:06.217Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7","created":"2023-09-28T21:26:23.361Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:26:23.361Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f584a257-c22a-434b-aa2d-6220987821ab","created":"2021-10-13T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Jos Wetzels January 2018","description":"Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ","url":"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T18:29:11.326Z","description":"[Triton](https://attack.mitre.org/software/S1009) can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments. (Citation: Jos Wetzels January 2018)","relationship_type":"uses","source_ref":"malware--80099a91-4c86-4bea-9ccb-dac55d61960e","target_ref":"attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545","created":"2023-09-29T18:44:50.280Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:44:50.280Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f5c9f641-a498-46b5-9068-39502db53cfd","created":"2023-09-28T20:10:55.590Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:10:55.590Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4","created":"2023-09-29T17:04:55.720Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:04:55.720Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51","created":"2023-09-29T17:05:20.132Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:05:20.132Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349","target_ref":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos","description":"Dragos Chrysene Retrieved. 2019/10/27 ","url":"https://dragos.com/resource/chrysene/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T16:32:49.409Z","description":"[OilRig](https://attack.mitre.org/groups/G0049) utilized stolen credentials to gain access to victim machines.(Citation: Dragos)","relationship_type":"uses","source_ref":"intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d","target_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659","created":"2023-09-28T19:55:58.229Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:55:58.229Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f664bf42-5fb2-41e5-b790-978ddf866da3","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T17:45:58.655Z","description":"Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network. ","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6","created":"2023-09-28T20:12:09.661Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:12:09.661Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101","target_ref":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f6ff74c2-d088-4252-a8e0-189574863765","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-21T16:44:46.032Z","description":"Communication authenticity will ensure that any messages tampered with through AiTM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various AiTM procedures.\n","relationship_type":"mitigates","source_ref":"course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac","target_ref":"attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.147Z","relationship_type":"mitigates","description":"Use file system access controls to protect system and application folders.\n","source_ref":"course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971","target_ref":"attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c","created":"2023-09-29T16:45:42.977Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:45:42.977Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb","target_ref":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846","created":"2023-09-29T18:47:39.450Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T18:47:39.450Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377","target_ref":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138","created":"2023-09-28T20:31:31.498Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:31:31.498Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df","created":"2023-09-27T14:58:21.360Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"},{"source_name":"Ukraine15 - EISAC - 201603","description":"Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.","url":"https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-04T17:03:24.268Z","description":"During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) opened the breakers at the infected sites, shutting the power off for thousands of businesses and households for around 6 hours. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)","relationship_type":"uses","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f7d672f6-993b-4036-961d-f6e22e94446c","created":"2024-04-09T20:48:30.734Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-09T20:48:30.734Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5","target_ref":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Eduard Kovacs May 2018","description":"Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved September 12, 2024.","url":"https://web.archive.org/web/20220120001230/https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-12T19:53:14.409Z","description":"[OilRig](https://attack.mitre.org/groups/G0049) has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. (Citation: Eduard Kovacs May 2018)","relationship_type":"uses","source_ref":"intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089","created":"2023-09-28T20:16:40.519Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:16:40.519Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f862418a-e7b4-4783-8949-7145f3dee665","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.104Z","relationship_type":"mitigates","description":"Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n","source_ref":"course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549","target_ref":"attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702","created":"2023-03-22T15:52:30.607Z","revoked":false,"external_references":[{"source_name":"PLCTop20 Mar 2023","description":"PLC Security, Top 20 Community. (2021, June 15). Secure PLC Coding Practices: Top 20 version 1.0. Retrieved March 22, 2023.","url":"https://plc-security.com/content/Top_20_Secure_PLC_Coding_Practices_V1.0.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-22T15:52:30.607Z","description":"Devices and programs should validate the content of any remote parameter changes, including those from HMIs, control servers, or engineering workstations.(Citation: PLCTop20 Mar 2023)","relationship_type":"mitigates","source_ref":"course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517","target_ref":"attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T16:09:42.474Z","description":"Monitor network traffic for ICS functions related to write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f92764db-a880-4726-9d28-a035170f790c","created":"2023-09-28T21:22:35.236Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:22:35.236Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f951d934-d555-45e9-a564-27b84518cae4","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.070Z","relationship_type":"mitigates","description":"Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n","source_ref":"course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a","target_ref":"attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T14:34:29.743Z","description":"Monitor for unexpected ICS protocol command functions to controllers from existing master devices (including from new processes) or from new devices. The latter is like detection for [Rogue Master](https://attack.mitre.org/techniques/T0848) but requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).\n\nMonitoring for unexpected or problematic values below the function level will provide better insights into potentially malicious activity but at the cost of additional false positives depending on the underlying operational process.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b","created":"2023-09-28T19:48:37.072Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:48:37.072Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.185Z","relationship_type":"mitigates","description":"Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).\n","source_ref":"course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697","target_ref":"attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.184Z","relationship_type":"mitigates","description":"Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system.\n","source_ref":"course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a","target_ref":"attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa","created":"2020-09-21T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-08T22:28:50.588Z","description":"All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fa726dae-84da-4500-8516-1522da2c6fa4","created":"2024-03-26T15:41:14.121Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T15:41:14.121Z","description":"Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. ","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0","created":"2023-09-29T16:28:04.180Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T16:28:04.180Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fad25140-73de-40d5-a010-3464188db973","created":"2023-09-25T20:51:07.162Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T20:51:07.162Z","description":"All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.","relationship_type":"mitigates","source_ref":"course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0","target_ref":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fadbdca3-3c98-497c-a156-e53b89664359","created":"2023-09-28T20:16:55.038Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T20:16:55.038Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","target_ref":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--faf163b6-4e35-43d6-9c0c-83d91d215854","created":"2024-09-11T22:57:39.900Z","revoked":false,"external_references":[{"source_name":"Claroty Fuxnet 2024","description":"Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.","url":"https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-11T22:57:39.900Z","description":"[Fuxnet](https://attack.mitre.org/software/S1157) physically destroyed NAND memory chips on impacted devices through repeated bit-flip operations.(Citation: Claroty Fuxnet 2024)","relationship_type":"uses","source_ref":"malware--931e2489-8078-4f9f-85b2-a9211950e75b","target_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161","created":"2022-05-11T16:22:58.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:58:34.751Z","description":"Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1","created":"2023-09-29T17:38:28.664Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-29T17:38:28.664Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4","target_ref":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c","created":"2022-05-11T16:22:58.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T17:15:27.767Z","description":"Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:55:14.825Z","description":"Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Eduard Kovacs May 2018","description":"Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved September 12, 2024.","url":"https://web.archive.org/web/20220120001230/https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-12T19:53:14.410Z","description":"[ALLANITE](https://attack.mitre.org/groups/G1000) leverages watering hole attacks to gain access into electric utilities. (Citation: Eduard Kovacs May 2018)","relationship_type":"uses","source_ref":"intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d","created":"2022-05-11T16:22:58.808Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T16:45:25.119Z","description":"Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.111Z","relationship_type":"mitigates","description":"Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n","source_ref":"course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291","target_ref":"attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--fcba6a58-72b0-4d54-a887-740624e22f6f","created":"2024-03-26T15:42:36.840Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T15:42:36.840Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d","target_ref":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.106Z","relationship_type":"mitigates","description":"Restrict browsers to limit the capabilities of malicious ads and Javascript.\n","source_ref":"course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55","created":"2022-09-27T18:41:43.617Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-27T18:41:43.617Z","description":"Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.","relationship_type":"detects","source_ref":"x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d","target_ref":"attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fd309395-8fcc-402c-9227-90ac897fd602","created":"2024-03-26T15:41:39.905Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T15:41:39.905Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd","created":"2023-10-02T20:23:41.227Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-02T20:23:41.227Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3","target_ref":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fd7247a4-b299-4948-a3b0-9b43f4f41ae0","created":"2024-03-28T14:29:46.095Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye TRITON 2018","description":"Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.","url":"https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-10T15:03:21.507Z","description":"In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) leveraged [Triton](https://attack.mitre.org/software/S1009) to send unauthorized command messages to the Triconex safety controllers.(Citation: FireEye TRITON 2018)","relationship_type":"uses","source_ref":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","target_ref":"attack-pattern--40b300ba-f553-48bf-862e-9471b220d455","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fd856176-396c-4121-9754-35e49bfa5758","created":"2022-05-11T16:22:58.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-14T19:41:55.062Z","description":"Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.","relationship_type":"detects","source_ref":"x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba","target_ref":"attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fdc20415-c9a1-405e-80af-3d297894e8fa","created":"2023-09-28T19:58:30.849Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:58:30.849Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fe22637e-7187-4990-b24a-5dc851eec736","created":"2022-05-11T16:22:58.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-26T15:08:55.507Z","description":"Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.","relationship_type":"detects","source_ref":"x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95","target_ref":"attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f","created":"2023-09-28T21:10:39.025Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:10:39.025Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07","target_ref":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926","created":"2023-09-28T21:26:59.998Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:26:59.998Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb","created":"2023-09-28T19:56:26.241Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T19:56:26.241Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2","target_ref":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ff107632-751b-4efb-86bd-af670b48d35d","created":"2023-09-28T21:21:30.387Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T21:21:30.387Z","description":"","relationship_type":"targets","source_ref":"attack-pattern--3de230d4-3e42-4041-b089-17e1128feded","target_ref":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ff3f0668-98df-44c1-88c2-711f05720eb8","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","created":"2020-09-21T17:59:24.739Z","modified":"2022-05-06T17:47:24.060Z","relationship_type":"mitigates","description":"Restrict configurations changes and firmware updating abilities to only authorized individuals.\n","source_ref":"course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd","target_ref":"attack-pattern--19a71d1e-6334-4233-8260-b749cae37953","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_version":"1.0"},{"type":"relationship","id":"relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b","created":"2017-05-31T21:33:27.074Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Joe Slowik April 2019","description":"Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ","url":"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-10-12T17:31:37.216Z","description":"[Bad Rabbit](https://attack.mitre.org/software/S0606) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)","relationship_type":"uses","source_ref":"malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a","target_ref":"attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-04T17:46:20.340Z","name":"Application Server","description":"Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers. The application server typically runs on a modern server operating system (e.g., MS Windows Server).","x_mitre_sectors":["General"],"x_mitre_platforms":["Windows","Linux"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d","created":"2023-09-28T14:58:00.982Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0008","external_id":"A0008"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.272Z","name":"Application Log Content","description":"Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)","x_mitre_data_source_ref":"x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-06T14:05:01.054Z","name":"2015 Ukraine Electric Power Attack","description":"[2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.","aliases":["2015 Ukraine Electric Power Attack"],"first_seen":"2015-12-01T05:00:00.000Z","last_seen":"2016-01-01T05:00:00.000Z","x_mitre_first_seen_citation":"(Citation: Booz Allen Hamilton)","x_mitre_last_seen_citation":"(Citation: Booz Allen Hamilton)","x_mitre_deprecated":false,"x_mitre_version":"1.0","type":"campaign","id":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","created":"2023-09-27T13:11:52.340Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/campaigns/C0028","external_id":"C0028"},{"source_name":"Booz Allen Hamilton","description":"Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ","url":"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack","enterprise-attack"]},{"modified":"2023-09-28T14:23:52.358Z","name":"Workstation","description":"Workstations are devices used by human operators or engineers to perform various configuration, programming, maintenance, diagnostic, or operational tasks. Workstations typically utilize standard desktop or laptop hardware and operating systems (e.g., MS Windows), but run dedicated control system applications or diagnostic/management software to support interfacing with the control servers or field devices. Some workstations have a fixed location within the network architecture, while others are transient devices that are directly connected to various field devices to support local management activities.","x_mitre_sectors":["General"],"x_mitre_related_assets":[{"name":"Transient Cyber Asset (TCA)","related_asset_sectors":["Electric"],"description":"A Transient Cyber Asset (TCA)(Citation: North American Electric Reliability Corporation June 2021) is a mobile workstation that is used to support management functions across multiple different networks, rather than being dedicated to any specific device/network. The TCA is often used to directly manage ICS environments that do not have any dedicated support for external remote access. Therefore, the TCA provides a mechanism for connectivity and file transfer to many networks/devices, even if they are segmented or “air gapped” from other networks. "},{"name":"Engineering Workstation (EWS)","related_asset_sectors":["General"],"description":"An Engineering Workstation (EWS) is used to perform various maintenance, configuration, or diagnostics functions for a control system. The EWS will likely require dedicated application software to interface with various devices (e.g., RTUs, PLCs), and may be used to transfer data or files between the control system devices and other networks. "}],"x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41","created":"2023-09-28T14:22:49.837Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0001","external_id":"A0001"},{"source_name":"North American Electric Reliability Corporation June 2021","description":"North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ","url":"https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-04T18:01:02.506Z","name":"Intelligent Electronic Device (IED)","description":"An Intelligent Electronic Device (IED) is a type of specialized field device that is designed to perform specific operational functions, frequently for protection, monitoring, or control within the electric sector. IEDs are typically used to both acquire telemetry and execute tailored control algorithms/actions based on customizable parameters/settings. An IED is usually implemented as a dedicated embedded device and supports various network automation protocols to communicate with RTUs and Control Servers.","x_mitre_sectors":["Electric"],"x_mitre_related_assets":[{"name":"Protection Relay","related_asset_sectors":["Electric"],"description":"A protection relay is a type of IED used within the electric sector to monitor for faults or problematic operating conditions on power lines, busses, or transformers. While traditionally protection relays were electromechanical or electromagnetic devices, modern relays utilize microprocessors, embedded operating system, and SCADA communications."},{"name":"Field Device / Controller","related_asset_sectors":[],"description":"IEDs may be referred to as Field Controllers or Field Devices as a general function name. "}],"x_mitre_platforms":["Embedded"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04","created":"2023-09-28T14:46:42.566Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0005","external_id":"A0005"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-16T18:49:26.400Z","name":"Routers","description":"A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.(Citation: IETF RFC4949 2007)","x_mitre_sectors":["General"],"x_mitre_platforms":["Embedded"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5","created":"2023-09-29T18:55:09.319Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0014","external_id":"A0014"},{"source_name":"IETF RFC4949 2007","description":"Internet Engineering Task Force. (2007, August). Internet Security Glossary, Version 2. Retrieved September 29, 2023.","url":"https://www.ietf.org/rfc/rfc4949.txt"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-04T18:08:33.386Z","name":"Data Gateway","description":"Data Gateway is a device that supports the communication and exchange of data between different systems, networks, or protocols within the ICS. Different types of data gateways are used to perform various functions, including:\n\n * Protocol Translation: Enable communication to devices that support different or incompatible protocols by translating information from one protocol to another. \n * Media Converter: Convert data across different Layer 1 and 2 network protocols / mediums, for example, converting from Serial to Ethernet. \n * Data Aggregation: Collect and combine data from different devices into one consistent format and protocol interface. \n\nData gateways are often critical to the forwarding/transmission of critical control or monitoring data within the ICS. Further, these devices often have remote various network services that are used to communicate across different zones or networks. \n\nThese assets may focus on a single function listed below or combinations of these functions to best fit the industry use-case. \n","x_mitre_sectors":["General"],"x_mitre_related_assets":[{"name":"Data Acquisition Server (DAS)","related_asset_sectors":["General"],"description":"A Data Acquisition Server (DAS) a system or software platform that is used to collect, aggregate, and store data/telemetry from field devices using various SCADA/Automation protocols. "},{"name":"Serial to Ethernet Gateway","related_asset_sectors":["Electric","General"],"description":"A Serial to Ethernet gateway is a device that is used to connect field devices that only support serial-based communication (e.g., RS-232) with more modern Ethernet-based networks. "}],"x_mitre_platforms":["Windows","Linux","Embedded"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4","created":"2023-09-28T15:01:48.509Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0009","external_id":"A0009"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-07T16:19:46.282Z","name":"User Account Authentication","description":"An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)","x_mitre_data_source_ref":"x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6","x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"x-mitre-data-component","id":"x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e","created":"2021-10-20T15:05:19.271Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-04T17:59:11.489Z","name":"Human-Machine Interface (HMI)","description":"Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.","x_mitre_sectors":["General"],"x_mitre_related_assets":[{"name":"Operator Workstation (OWS)","related_asset_sectors":["General"],"description":"An Operator Workstation (OWS) or Console is a system or device used by an operator to interface with a control system, including to access/visualizes key information or parameters about the operational process and initiate control actions. This typically consists of specialized OWS software installed on a Workstation platform. (Citation: IEC February 2019)"}],"x_mitre_platforms":["Windows","Linux"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64","created":"2023-09-28T14:38:54.407Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0002","external_id":"A0002"},{"source_name":"IEC February 2019","description":"IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ","url":"https://webstore.iec.ch/publication/34421"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.275Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.275Z","name":"Network Share Access","description":"Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)","x_mitre_data_source_ref":"x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-17T16:17:07.038Z","name":"Triton Safety Instrumented System Attack","description":"[Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)\n","aliases":["Triton Safety Instrumented System Attack"],"first_seen":"2017-06-01T04:00:00.000Z","last_seen":"2017-08-01T04:00:00.000Z","x_mitre_first_seen_citation":"(Citation: Triton-EENews-2017)","x_mitre_last_seen_citation":"(Citation: Triton-EENews-2017)","x_mitre_deprecated":false,"x_mitre_version":"1.0","type":"campaign","id":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","created":"2024-03-25T17:47:37.619Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/campaigns/C0030","external_id":"C0030"},{"source_name":"Triton-EENews-2017","description":"Blake Sobczak. (2019, March 7). The inside story of the world’s most dangerous malware. Retrieved March 25, 2024.","url":"https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/"},{"source_name":"FireEye TRITON 2017","description":"Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.","url":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"},{"source_name":"FireEye TRITON 2018","description":"Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.","url":"https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack","enterprise-attack"]},{"modified":"2024-01-08T20:40:31.822Z","name":"Dragonfly","description":"[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)","aliases":["Dragonfly","TEMP.Isotope","DYMALLOY","Berserk Bear","TG-4192","Crouching Yeti","IRON LIBERTY","Energetic Bear","Ghost Blizzard","BROMINE"],"x_mitre_deprecated":false,"x_mitre_version":"4.0","x_mitre_contributors":["Dragos Threat Intelligence"],"type":"intrusion-set","id":"intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1","created":"2017-05-31T21:32:05.217Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0035","external_id":"G0035"},{"source_name":"DYMALLOY","description":"(Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)"},{"source_name":"Berserk Bear","description":"(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)"},{"source_name":"TEMP.Isotope","description":"(Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)"},{"source_name":"Ghost Blizzard","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"BROMINE","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"Crouching Yeti","description":"(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)"},{"source_name":"IRON LIBERTY","description":"(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)"},{"source_name":"TG-4192","description":"(Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)"},{"source_name":"Dragonfly","description":"(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)"},{"source_name":"Energetic Bear","description":"(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)"},{"source_name":"CISA AA20-296A Berserk Bear December 2020","description":"CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.","url":"https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions"},{"source_name":"DOJ Russia Targeting Critical Infrastructure March 2022","description":"Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.","url":"https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical"},{"source_name":"Dragos DYMALLOY ","description":"Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.","url":"https://www.dragos.com/threat/dymalloy/"},{"source_name":"Fortune Dragonfly 2.0 Sept 2017","description":"Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.","url":"http://fortune.com/2017/09/06/hack-energy-grid-symantec/"},{"source_name":"Mandiant Ukraine Cyber Threats January 2022","description":"Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.","url":"https://www.mandiant.com/resources/ukraine-crisis-cyber-threats"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"},{"source_name":"Secureworks MCMD July 2019","description":"Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.","url":"https://www.secureworks.com/research/mcmd-malware-analysis"},{"source_name":"Secureworks IRON LIBERTY July 2019","description":"Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.","url":"https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector"},{"source_name":"Secureworks Karagany July 2019","description":"Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.","url":"https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector"},{"source_name":"Gigamon Berserk Bear October 2021","description":"Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.","url":"https://vblocalhost.com/uploads/VB2021-Slowik.pdf"},{"source_name":"Symantec Dragonfly Sept 2017","description":"Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.","url":"https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers"},{"source_name":"Symantec Dragonfly","description":"Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.","url":"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"},{"source_name":"Symantec Dragonfly 2.0 October 2017","description":"Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.","url":"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks"},{"source_name":"UK GOV FSB Factsheet April 2022","description":"UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.","url":"https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.273Z","name":"File Access","description":"Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)","x_mitre_data_source_ref":"x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-08-14T15:24:19.141Z","name":"HEXANE","description":"[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)","aliases":["HEXANE","Lyceum","Siamesekitten","Spirlin"],"x_mitre_deprecated":false,"x_mitre_version":"2.3","x_mitre_contributors":["Dragos Threat Intelligence","Mindaugas Gudzis, BT Security"],"type":"intrusion-set","id":"intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G1001","external_id":"G1001"},{"source_name":"Spirlin","description":"(Citation: Accenture Lyceum Targets November 2021)"},{"source_name":"Siamesekitten","description":"(Citation: ClearSky Siamesekitten August 2021)"},{"source_name":"Lyceum","description":"(Citation: SecureWorks August 2019)"},{"source_name":"Accenture Lyceum Targets November 2021","description":"Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.","url":"https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns"},{"source_name":"ClearSky Siamesekitten August 2021","description":"ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.","url":"https://www.clearskysec.com/siamesekitten/"},{"source_name":"Dragos Hexane","description":"Dragos. (n.d.). Hexane. Retrieved October 27, 2019.","url":"https://dragos.com/resource/hexane/"},{"source_name":"Kaspersky Lyceum October 2021","description":"Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.","url":"https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf"},{"source_name":"SecureWorks August 2019","description":"SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 ","url":"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.273Z","name":"File Modification","description":"Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)","x_mitre_data_source_ref":"x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-04T19:26:49.788Z","name":"Field I/O","description":"Field I/O are devices that communicate with a controller or data aggregator to either send input data or receive output data. Input data may include readings about a given environment/device state from sensors, while output data may include data sent back to actuators for them to either undertake actions or change parameter values.(Citation: Guidance - NIST SP800-82) These devices are frequently embedded devices running on lightweight embedded operating systems or RTOSes. ","x_mitre_related_assets":[{"name":"Smart Sensors","related_asset_sectors":["General"],"description":"*A device that procures a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow).* (Citation: Guidance - NIST SP800-82) Smart sensors take this functionality and add on on-device processing and network communication."},{"name":"Variable Frequency Drive (VFD)","related_asset_sectors":["General"],"description":"*A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not.* (Citation: Guidance - NIST SP800-82) VFDs can be network connected."}],"x_mitre_platforms":["Embedded"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe","created":"2023-09-28T17:57:22.946Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0013","external_id":"A0013"},{"source_name":"Guidance - NIST SP800-82","description":"Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-07T16:15:56.932Z","name":"Process Creation","description":"The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)","x_mitre_data_source_ref":"x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22","x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"x-mitre-data-component","id":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.273Z","name":"Service Metadata","description":"Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.","x_mitre_data_source_ref":"x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["ics-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2022-05-11T16:22:58.802Z","created":"2022-05-11T16:22:58.802Z","type":"x-mitre-data-component","id":"x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e","name":"Process/Event Alarm","description":"This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)","x_mitre_version":"1.0","x_mitre_data_source_ref":"x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-04T17:57:56.558Z","name":"Data Historian","description":"Data historians, or historian, are systems used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices. The historian typically utilizes a database to store this data, and commonly provide tools and interfaces to support the analysis of the data. Data historians are often used to support various engineering or business analysis functions and therefore commonly needs access from the corporate network. Data historians often work in a hierarchical paradigm where lower/site level historians collect and store data which is then aggregated into a site/plant level historian. Therefore, data historians often have remote services that can be accessed externally from the ICS network.","x_mitre_sectors":["General"],"x_mitre_platforms":["Windows","Linux","Embedded"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499","created":"2023-09-28T14:48:36.305Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0006","external_id":"A0006"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-04T18:05:43.237Z","name":"Remote Terminal Unit (RTU)","description":"A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.","x_mitre_sectors":["Electric","Water and Wastewater","General"],"x_mitre_platforms":["Embedded","Windows","Linux"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32","created":"2023-09-28T14:44:54.756Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0004","external_id":"A0004"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-16T18:49:08.504Z","name":"Safety Controller","description":"Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.","x_mitre_related_assets":[{"name":"Safety Instrumented System (SIS) controller","related_asset_sectors":[],"description":"SIS controllers are used to “take the process to a safe state when predetermined conditions are violated” (Citation: Guidance - NIST SP800-82) through the reading of sensor data and interaction with digital/physical control surfaces. These devices are oftentimes located on programmable embedded devices running specialized RTOS or other embedded operating systems. "},{"name":"Emergency Shutdown Systems (ESD) controller","related_asset_sectors":[],"description":"Emergency Shutdown System controllers are used to read sensor values and interact with control surfaces to return the system “to a safe static condition so that any remedial action can be taken”. (Citation: SIGTTO ESD 2021)"},{"name":"Burner Management Systems (BMS) controller","related_asset_sectors":[],"description":"Burner Management System controllers are used to interact with sensors and control surfaces to maintain safe operating conditions for the burner. These can include safely starting-up and managing the main flame, controlling and monitoring the burning conditions, and safely initiating planned or unplanned shutdown sequences."}],"x_mitre_platforms":["Embedded"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32","created":"2023-09-28T15:10:05.534Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0010","external_id":"A0010"},{"source_name":"Guidance - NIST SP800-82","description":"Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"},{"source_name":"SIGTTO ESD 2021","description":"Society of International Gas Tanker & Terminal Operators Ltd. (2021). ESD Systems: Recommendations for Emergency Shutdown and Related Safety Systems (Second Edition). Retrieved September 28, 2023.","url":"https://sigtto.org/media/3457/sigtto-2021-esd-systems.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.274Z","name":"Network Traffic Content","description":"Logged network traffic data showing both protocol header and body values (ex: PCAP)","x_mitre_data_source_ref":"x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-04T18:03:06.811Z","name":"Jump Host","description":"Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts. ","x_mitre_sectors":["General"],"x_mitre_related_assets":[{"name":"Intermediate System","related_asset_sectors":["Electric"],"description":"A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users.(Citation: North American Electric Reliability Corporation June 2021)"}],"x_mitre_platforms":["Windows","Linux","Embedded"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787","created":"2023-09-28T17:52:53.206Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0012","external_id":"A0012"},{"source_name":"North American Electric Reliability Corporation June 2021","description":"North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ","url":"https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-04T18:09:21.296Z","name":"Programmable Logic Controller (PLC)","description":"A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 (Citation: IEC February 2013), which define the set of tasks and program organizational units (POUs) included in the device’s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.","x_mitre_sectors":["General"],"x_mitre_related_assets":[{"name":"Process Automation Controller (PAC)","related_asset_sectors":["General"],"description":"Process Automation Controllers (PAC) share much of the same functionality as a PLC. PACs may include advanced features for process control, motion control, drive control, and vision applications. PACs may include additional features such as options to program in traditional programming languages such as C and C++ in addition to 61131 programming languages in order to support these more advanced controls. "},{"name":"Field Device / Controller","related_asset_sectors":[],"description":"Programmable Logic Controller (PLC) may be referred to as Field Controllers or Field Devices as a general function name. "}],"x_mitre_platforms":["Embedded"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990","created":"2023-09-28T14:43:05.105Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0003","external_id":"A0003"},{"source_name":"IEC February 2013","description":"IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ","url":"https://webstore.iec.ch/publication/4552"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.273Z","name":"Service Creation","description":"Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)","x_mitre_data_source_ref":"x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-21T15:41:36.287Z","name":"OS API Execution","description":"Operating system function/method calls executed by a process","x_mitre_data_source_ref":"x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22","x_mitre_deprecated":false,"x_mitre_version":"1.0","type":"x-mitre-data-component","id":"x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-07T16:14:39.124Z","name":"Command Execution","description":"The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )","x_mitre_data_source_ref":"x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089","x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"x-mitre-data-component","id":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-11T16:06:34.700Z","name":"APT33","description":"[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.(Citation: FireEye APT33 Sept 2017)(Citation: FireEye APT33 Webinar Sept 2017)","aliases":["APT33","HOLMIUM","Elfin","Peach Sandstorm"],"x_mitre_deprecated":false,"x_mitre_version":"2.0","x_mitre_contributors":["Dragos Threat Intelligence"],"type":"intrusion-set","id":"intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f","created":"2018-04-18T17:59:24.739Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0064","external_id":"G0064"},{"source_name":"APT33","description":"(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)"},{"source_name":"HOLMIUM","description":"(Citation: Microsoft Holmium June 2020)"},{"source_name":"Peach Sandstorm","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"Elfin","description":"(Citation: Symantec Elfin Mar 2019)"},{"source_name":"FireEye APT33 Webinar Sept 2017","description":"Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.","url":"https://www.brighttalk.com/webcast/10703/275683"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"},{"source_name":"Microsoft Holmium June 2020","description":"Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.","url":"https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/"},{"source_name":"FireEye APT33 Sept 2017","description":"O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.","url":"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"},{"source_name":"Symantec Elfin Mar 2019","description":"Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.","url":"https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["ics-attack","enterprise-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-04T18:09:59.538Z","name":"Control Server","description":"Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.","x_mitre_sectors":["General"],"x_mitre_related_assets":[{"name":"Supervisory Control And Data Acquisition (SCADA) Server","related_asset_sectors":["General","Electric","Water and Wastewater"],"description":"A SCADA server is used to perform monitoring and control across a distributed environment. It typically has an associated HMI to provide information to a human operator and heavily depends on the human operator to initiate control actions."},{"name":"Master Terminal Unit (MTU)","related_asset_sectors":["General"],"description":"*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)"},{"name":"Supervisory controller","related_asset_sectors":["General"],"description":"*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)"},{"name":"Distribution/Energy Management System (DMS/EMS)","related_asset_sectors":["Electric"],"description":"A DMS and EMS are electric sector specific devices that are commonly used to manage distribution and transmission-level electrical grids. These platforms typically integrate a SCADA server and HMI with domain-specific data analysis applications, such as state-estimation and contingency analysis (EMS), or voltage-var control or fault restoration (DMS). "}],"x_mitre_platforms":["Windows","Linux"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3","created":"2023-09-28T14:55:39.339Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0007","external_id":"A0007"},{"source_name":"Guidance - NIST SP800-82","description":"Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.","url":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.274Z","name":"Network Traffic Flow","description":"Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)","x_mitre_data_source_ref":"x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["ics-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2022-05-11T16:22:58.802Z","created":"2022-05-11T16:22:58.802Z","type":"x-mitre-data-component","id":"x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95","name":"Process History/Live Data","description":"This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices","x_mitre_version":"1.0","x_mitre_data_source_ref":"x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"aliases":["ALLANITE","Palmetto Fusion"],"x_mitre_domains":["ics-attack"],"x_mitre_contributors":["Dragos Threat Intelligence"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"intrusion-set","id":"intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae","created":"2017-05-31T21:31:57.307Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"G1000","url":"https://attack.mitre.org/groups/G1000"},{"source_name":"Dragos","url":"https://dragos.com/resource/allanite/","description":"Dragos Allanite Retrieved. 2019/10/27 "}],"x_mitre_deprecated":false,"revoked":false,"description":"[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)","modified":"2022-05-24T19:26:10.721Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"ALLANITE","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-04T18:07:59.333Z","name":"Virtual Private Network (VPN) Server","description":"A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.","x_mitre_sectors":["General"],"x_mitre_related_assets":[{"name":"Virtual Private Network (VPN) terminator","related_asset_sectors":["General"],"description":"A VPN terminator is a device performs the role of either a VPN client or server to support the establishment of VPN connection. (Citation: IEC February 2019)"},{"name":"Field VPN","related_asset_sectors":["General"],"description":"Field VPN are typically deployed at remote outstations and are used to create secure connections to VPN servers within data/control center environments. "}],"x_mitre_platforms":["Windows","Linux","Embedded"],"x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","type":"x-mitre-asset","id":"x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945","created":"2023-09-28T15:13:07.950Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/assets/A0011","external_id":"A0011"},{"source_name":"IEC February 2019","description":"IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ","url":"https://webstore.iec.ch/publication/34421"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-09-12T17:37:44.040Z","name":"Sandworm Team","description":"[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)","aliases":["Sandworm Team","ELECTRUM","Telebots","IRON VIKING","BlackEnergy (Group)","Quedagh","Voodoo Bear","IRIDIUM","Seashell Blizzard","FROZENBARENTS","APT44"],"x_mitre_deprecated":false,"x_mitre_version":"4.1","x_mitre_contributors":["Dragos Threat Intelligence","Hakan KARABACAK"],"type":"intrusion-set","id":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","created":"2017-05-31T21:32:04.588Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0034","external_id":"G0034"},{"source_name":"Voodoo Bear","description":"(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"ELECTRUM","description":"(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"Sandworm Team","description":"(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"Quedagh","description":"(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"FROZENBARENTS","description":"(Citation: Leonard TAG 2023)"},{"source_name":"APT44","description":"(Citation: mandiant_apt44_unearthing_sandworm)"},{"source_name":"IRIDIUM","description":"(Citation: Microsoft Prestige ransomware October 2022)"},{"source_name":"Seashell Blizzard","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"BlackEnergy (Group)","description":"(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"Telebots","description":"(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"IRON VIKING","description":"(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"Leonard TAG 2023","description":"Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.","url":"https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"},{"source_name":"US District Court Indictment GRU Oct 2018","description":"Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.","url":"https://www.justice.gov/opa/page/file/1098481/download"},{"source_name":"Dragos ELECTRUM","description":"Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.","url":"https://www.dragos.com/resource/electrum/"},{"source_name":"F-Secure BlackEnergy 2014","description":"F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.","url":"https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"},{"source_name":"iSIGHT Sandworm 2014","description":"Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.","url":"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"},{"source_name":"CrowdStrike VOODOO BEAR","description":"Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.","url":"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"},{"source_name":"Microsoft Prestige ransomware October 2022","description":"MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.","url":"https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"},{"source_name":"InfoSecurity Sandworm Oct 2014","description":"Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.","url":"https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/"},{"source_name":"NCSC Sandworm Feb 2020","description":"NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.","url":"https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory"},{"source_name":"USDOJ Sandworm Feb 2020","description":"Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024.","url":"https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html"},{"source_name":"mandiant_apt44_unearthing_sandworm","description":"Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.","url":"https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"},{"source_name":"US District Court Indictment GRU Unit 74455 October 2020","description":"Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.","url":"https://www.justice.gov/opa/press-release/file/1328521/download"},{"source_name":"Secureworks IRON VIKING ","description":"Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.","url":"https://www.secureworks.com/research/threat-profiles/iron-viking"},{"source_name":"UK NCSC Olympic Attacks October 2020","description":"UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.","url":"https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","ics-attack","mobile-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["ics-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2022-05-11T16:22:58.802Z","created":"2022-05-11T16:22:58.802Z","type":"x-mitre-data-component","id":"x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298","name":"Device Alarm","description":"This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes","x_mitre_version":"1.0","x_mitre_data_source_ref":"x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.271Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.271Z","name":"Scheduled Job Metadata","description":"Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.","x_mitre_data_source_ref":"x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-10T21:18:24.743Z","name":"2016 Ukraine Electric Power Attack","description":"[2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)","aliases":["2016 Ukraine Electric Power Attack"],"first_seen":"2016-12-01T05:00:00.000Z","last_seen":"2016-12-01T05:00:00.000Z","x_mitre_first_seen_citation":"(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)","x_mitre_last_seen_citation":"(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)","x_mitre_deprecated":false,"x_mitre_version":"1.0","type":"campaign","id":"campaign--aa73efef-1418-4dbe-b43c-87a498e97234","created":"2023-03-31T17:22:23.567Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/campaigns/C0025","external_id":"C0025"},{"source_name":"ESET Industroyer","description":"Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.","url":"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"},{"source_name":"Dragos Crashoverride 2018","description":"Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.","url":"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["enterprise-attack","ics-attack"]},{"modified":"2023-04-05T22:00:43.353Z","name":"Maroochy Water Breach","description":"[Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020) was an incident in 2000 where an adversary leveraged the local government’s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.(Citation: Marshall Abrams July 2008)","aliases":["Maroochy Water Breach"],"first_seen":"2000-02-01T05:00:00.000Z","last_seen":"2000-04-01T05:00:00.000Z","x_mitre_first_seen_citation":"(Citation: Marshall Abrams July 2008)","x_mitre_last_seen_citation":"(Citation: Marshall Abrams July 2008)","x_mitre_deprecated":false,"x_mitre_version":"1.0","type":"campaign","id":"campaign--70cab19e-1745-425e-b3db-c02cd5ff157a","created":"2023-03-10T20:01:08.133Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/campaigns/C0020","external_id":"C0020"},{"source_name":"Marshall Abrams July 2008","description":"Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ","url":"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"]},{"modified":"2024-04-15T19:37:46.084Z","name":"Unitronics Defacement Campaign","description":"The [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031) was a collection of intrusions across multiple sectors by the [CyberAv3ngers](https://attack.mitre.org/groups/G1027), where threat actors engaged in a seemingly opportunistic and global targeting and defacement of Unitronics Vision Series [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) with [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). The sectors that these PLCs can be commonly found in are water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the PLCs' HMIs.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: Frank Bajak and Marc Levy December 2023)","aliases":["Unitronics Defacement Campaign"],"first_seen":"2023-11-01T04:00:00.000Z","last_seen":"2023-11-01T04:00:00.000Z","x_mitre_first_seen_citation":"(Citation: CISA AA23-335A IRGC-Affiliated December 2023)","x_mitre_last_seen_citation":"(Citation: Lisa Zahner December 2023)","x_mitre_deprecated":false,"x_mitre_version":"1.0","type":"campaign","id":"campaign--8fda050f-470d-4401-994e-35c1a6c301de","created":"2024-03-25T19:58:53.090Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/campaigns/C0031","external_id":"C0031"},{"source_name":"CISA AA23-335A IRGC-Affiliated December 2023","description":"DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"},{"source_name":"Frank Bajak and Marc Levy December 2023","description":"Frank Bajak and Marc Levy. (2023, December 2). Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say. Retrieved March 25, 2024.","url":"https://apnews.com/article/hackers-iran-israel-water-utilities-critical-infrastructure-cisa-554b2aa969c8220016ab2ef94bd7635b"},{"source_name":"Lisa Zahner December 2023","description":"Lisa Zahner. (2023, December 15). Hackers in Iran attack computer at Vero Utilities. Retrieved March 25, 2024.","url":"https://veronews.com/2023/12/15/hackers-in-iran-attack-computer-at-vero-utilities/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"]},{"aliases":["Dragonfly 2.0","IRON LIBERTY","DYMALLOY","Berserk Bear"],"x_mitre_domains":["enterprise-attack","ics-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"intrusion-set","id":"intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"2.1","external_references":[{"source_name":"mitre-attack","external_id":"G0074","url":"https://attack.mitre.org/groups/G0074"},{"source_name":"DYMALLOY","description":"(Citation: Dragos DYMALLOY )"},{"source_name":"Berserk Bear","description":"(Citation: Fortune Dragonfly 2.0 Sept 2017)"},{"source_name":"IRON LIBERTY","description":"(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)"},{"source_name":"Dragonfly 2.0","description":"(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)"},{"source_name":"Dragos DYMALLOY ","url":"https://www.dragos.com/threat/dymalloy/","description":"Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020."},{"source_name":"Fortune Dragonfly 2.0 Sept 2017","url":"http://fortune.com/2017/09/06/hack-energy-grid-symantec/","description":"Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018."},{"source_name":"Secureworks MCMD July 2019","url":"https://www.secureworks.com/research/mcmd-malware-analysis","description":"Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020."},{"source_name":"Secureworks IRON LIBERTY","url":"https://www.secureworks.com/research/threat-profiles/iron-liberty","description":"Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020."},{"source_name":"Symantec Dragonfly Sept 2017","url":"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group","description":"Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017."},{"source_name":"US-CERT TA18-074A","url":"https://www.us-cert.gov/ncas/alerts/TA18-074A","description":"US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."}],"x_mitre_deprecated":false,"revoked":true,"description":"[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )","modified":"2022-05-11T14:00:00.188Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Dragonfly 2.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-11-01T21:18:51.941Z","name":"File Metadata","description":"Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.","x_mitre_data_source_ref":"x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9","x_mitre_deprecated":false,"x_mitre_version":"1.0","type":"x-mitre-data-component","id":"x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-21T21:47:58.629Z","name":"Asset Inventory","description":"This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)","x_mitre_data_source_ref":"x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c","x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack"],"x_mitre_version":"1.0","type":"x-mitre-data-component","id":"x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706","created":"2022-09-23T16:34:00.912Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-11T16:06:34.699Z","name":"Lazarus Group","description":"[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ","aliases":["Lazarus Group","Labyrinth Chollima","HIDDEN COBRA","Guardians of Peace","ZINC","NICKEL ACADEMY","Diamond Sleet"],"x_mitre_deprecated":false,"x_mitre_version":"4.0","x_mitre_contributors":["Kyaw Pyiyt Htet, @KyawPyiytHtet","Dragos Threat Intelligence"],"type":"intrusion-set","id":"intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a","created":"2017-05-31T21:32:03.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0032","external_id":"G0032"},{"source_name":"Labyrinth Chollima","description":"(Citation: CrowdStrike Labyrinth Chollima Feb 2022)"},{"source_name":"Diamond Sleet","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"ZINC","description":"(Citation: Microsoft ZINC disruption Dec 2017)"},{"source_name":"Lazarus Group","description":"(Citation: Novetta Blockbuster)"},{"source_name":"NICKEL ACADEMY","description":"(Citation: Secureworks NICKEL ACADEMY Dec 2017)"},{"source_name":"Guardians of Peace","description":"(Citation: US-CERT HIDDEN COBRA June 2017)"},{"source_name":"CrowdStrike Labyrinth Chollima Feb 2022","description":"CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.","url":"https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"},{"source_name":"Novetta Blockbuster","description":"Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.","url":"https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"},{"source_name":"Secureworks NICKEL ACADEMY Dec 2017","description":"Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.","url":"https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing"},{"source_name":"Microsoft ZINC disruption Dec 2017","description":"Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.","url":"https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/"},{"source_name":"HIDDEN COBRA","description":"The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)"},{"source_name":"Treasury North Korean Cyber Groups September 2019","description":"US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.","url":"https://home.treasury.gov/news/press-releases/sm774"},{"source_name":"US-CERT HIDDEN COBRA June 2017","description":"US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.","url":"https://www.us-cert.gov/ncas/alerts/TA17-164A"},{"source_name":"US-CERT HOPLIGHT Apr 2019","description":"US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.","url":"https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.273Z","name":"Windows Registry Key Modification","description":"Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)","x_mitre_data_source_ref":"x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-20T22:40:13.147Z","name":"Oldsmar Treatment Plant Intrusion","description":"[Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)","aliases":["Oldsmar Treatment Plant Intrusion"],"first_seen":"2021-02-01T05:00:00.000Z","last_seen":"2021-02-01T05:00:00.000Z","x_mitre_first_seen_citation":"(Citation: Pinellas County Sheriffs Office February 2021)","x_mitre_last_seen_citation":"(Citation: Pinellas County Sheriffs Office February 2021)","x_mitre_deprecated":true,"x_mitre_version":"1.0","type":"campaign","id":"campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2","created":"2022-09-20T20:53:14.373Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/campaigns/C0009","external_id":"C0009"},{"source_name":"CISA AA21-042A Water Treatment Intrusion Feb 2021","description":"CISA. (2021, February 11). Compromise of U.S. Water Treatment Facility . Retrieved October 18, 2022.","url":"https://www.cisa.gov/uscert/ncas/alerts/aa21-042a"},{"source_name":"Pinellas County Sheriffs Office February 2021","description":"Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ","url":"https://www.youtube.com/watch?v=MkXDSOgLQ6M"},{"source_name":"Dragos Oldsmar Feb 2021","description":"Serino, G., et al . (2021, February 8). Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack. Retrieved October 21, 2022.","url":"https://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["ics-attack"]},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.272Z","name":"Process Termination","description":"Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)","x_mitre_data_source_ref":"x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-09-04T20:33:04.739Z","name":"OilRig","description":"[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)","aliases":["OilRig","COBALT GYPSY","IRN2","APT34","Helix Kitten","Evasive Serpens","Hazel Sandstorm","EUROPIUM","ITG13"],"x_mitre_deprecated":false,"x_mitre_version":"4.1","x_mitre_contributors":["Robert Falcone","Bryan Lee","Dragos Threat Intelligence"],"type":"intrusion-set","id":"intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0049","external_id":"G0049"},{"source_name":"IRN2","description":"(Citation: Crowdstrike Helix Kitten Nov 2018)"},{"source_name":"ITG13","description":"(Citation: IBM ZeroCleare Wiper December 2019)"},{"source_name":"Hazel Sandstorm","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"EUROPIUM","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"OilRig","description":"(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)"},{"source_name":"COBALT GYPSY","description":"(Citation: Secureworks COBALT GYPSY Threat Profile)"},{"source_name":"Helix Kitten","description":"(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)"},{"source_name":"Evasive Serpens","description":"(Citation: Unit42 OilRig Playbook 2023)"},{"source_name":"Check Point APT34 April 2021","description":"Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.","url":"https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/"},{"source_name":"ClearSky OilRig Jan 2017","description":"ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.","url":"http://www.clearskysec.com/oilrig/"},{"source_name":"Palo Alto OilRig May 2016","description":"Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.","url":"http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"},{"source_name":"Palo Alto OilRig April 2017","description":"Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.","url":"http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/"},{"source_name":"Palo Alto OilRig Oct 2016","description":"Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.","url":"http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/"},{"source_name":"IBM ZeroCleare Wiper December 2019","description":"Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.","url":"https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/"},{"source_name":"Unit 42 QUADAGENT July 2018","description":"Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.","url":"https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/"},{"source_name":"Crowdstrike Helix Kitten Nov 2018","description":"Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.","url":"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"},{"source_name":"FireEye APT34 Dec 2017","description":"Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.","url":"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"},{"source_name":"Secureworks COBALT GYPSY Threat Profile","description":"Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.","url":"https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"},{"source_name":"APT34","description":"This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)"},{"source_name":"Unit 42 Playbook Dec 2017","description":"Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.","url":"https://pan-unit42.github.io/playbook_viewer/"},{"source_name":"Unit42 OilRig Playbook 2023","description":"Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.","url":"https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.273Z","name":"File Creation","description":"Initial construction of a new file (ex: Sysmon EID 11)","x_mitre_data_source_ref":"x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.272Z","name":"Module Load","description":"Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)","x_mitre_data_source_ref":"x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.274Z","name":"Logon Session Metadata","description":"Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it","x_mitre_data_source_ref":"x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.273Z","name":"Drive Modification","description":"Changes made to a drive letter or mount point of a data storage device","x_mitre_data_source_ref":"x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-10T16:02:48.078Z","name":"2022 Ukraine Electric Power Attack","description":"The [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign that used a combination of GOGETTER, Neo-REGEORG, [CaddyWiper](https://attack.mitre.org/software/S0693), and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.(Citation: Mandiant-Sandworm-Ukraine-2022)(Citation: Dragos-Sandworm-Ukraine-2022) ","aliases":["2022 Ukraine Electric Power Attack"],"first_seen":"2022-06-01T04:00:00.000Z","last_seen":"2022-10-01T04:00:00.000Z","x_mitre_first_seen_citation":"(Citation: Mandiant-Sandworm-Ukraine-2022)","x_mitre_last_seen_citation":"(Citation: Mandiant-Sandworm-Ukraine-2022)","x_mitre_deprecated":false,"x_mitre_version":"1.0","type":"campaign","id":"campaign--df8eb785-70f8-4300-b444-277ba849083d","created":"2024-03-27T19:43:25.703Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/campaigns/C0034","external_id":"C0034"},{"source_name":"Dragos-Sandworm-Ukraine-2022","description":"Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024.","url":"https://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/"},{"source_name":"Mandiant-Sandworm-Ukraine-2022","description":"Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.","url":"https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["enterprise-attack","ics-attack"]},{"modified":"2022-10-21T21:47:33.604Z","name":"Software","description":"This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).","x_mitre_data_source_ref":"x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c","x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack"],"x_mitre_version":"1.0","type":"x-mitre-data-component","id":"x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d","created":"2022-09-23T16:36:08.632Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-07T16:18:20.802Z","name":"Logon Session Creation","description":"Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)","x_mitre_data_source_ref":"x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891","x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"x-mitre-data-component","id":"x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5","created":"2021-10-20T15:05:19.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.272Z","name":"Process Metadata","description":"Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.","x_mitre_data_source_ref":"x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-07T16:16:55.269Z","name":"Script Execution","description":"The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)","x_mitre_data_source_ref":"x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e","x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"x-mitre-data-component","id":"x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-17T22:09:41.004Z","name":"FIN7","description":"[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)","aliases":["FIN7","GOLD NIAGARA","ITG14","Carbon Spider","ELBRUS","Sangria Tempest"],"x_mitre_deprecated":false,"x_mitre_version":"4.0","x_mitre_contributors":["Edward Millington"],"type":"intrusion-set","id":"intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc","created":"2017-05-31T21:32:09.460Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0046","external_id":"G0046"},{"source_name":"Carbon Spider","description":"(Citation: CrowdStrike Carbon Spider August 2021)"},{"source_name":"FIN7","description":"(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)"},{"source_name":"ELBRUS","description":"(Citation: Microsoft Ransomware as a Service)"},{"source_name":"Sangria Tempest","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"GOLD NIAGARA","description":"(Citation: Secureworks GOLD NIAGARA Threat Profile)"},{"source_name":"Mandiant FIN7 Apr 2022","description":"Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.","url":"https://www.mandiant.com/resources/evolution-of-fin7"},{"source_name":"FireEye CARBANAK June 2017","description":"Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.","url":"https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html"},{"source_name":"FireEye FIN7 April 2017","description":"Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.","url":"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"},{"source_name":"FireEye FIN7 Aug 2018","description":"Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.","url":"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"},{"source_name":"Secureworks GOLD NIAGARA Threat Profile","description":"CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.","url":"https://www.secureworks.com/research/threat-profiles/gold-niagara"},{"source_name":"FireEye FIN7 Shim Databases","description":"Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.","url":"https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html"},{"source_name":"Morphisec FIN7 June 2017","description":"Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.","url":"http://blog.morphisec.com/fin7-attacks-restaurant-industry"},{"source_name":"ITG14","description":"ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)"},{"source_name":"CrowdStrike Carbon Spider August 2021","description":"Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.","url":"https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"},{"source_name":"Microsoft Ransomware as a Service","description":"Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.","url":"https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"},{"source_name":"FireEye FIN7 March 2017","description":"Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.","url":"https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html"},{"source_name":"IBM Ransomware Trends September 2020","description":"Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.","url":"https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-03T20:21:34.872Z","name":"Wizard Spider","description":"[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)","aliases":["Wizard Spider","UNC1878","TEMP.MixMaster","Grim Spider","FIN12","GOLD BLACKBURN","ITG23","Periwinkle Tempest","DEV-0193"],"x_mitre_deprecated":false,"x_mitre_version":"4.0","x_mitre_contributors":["Edward Millington","Oleksiy Gayda"],"type":"intrusion-set","id":"intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7","created":"2020-05-12T18:15:29.396Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0102","external_id":"G0102"},{"source_name":"Grim Spider","description":"(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)"},{"source_name":"UNC1878","description":"(Citation: FireEye KEGTAP SINGLEMALT October 2020)"},{"source_name":"TEMP.MixMaster","description":"(Citation: FireEye Ryuk and Trickbot January 2019)"},{"source_name":"ITG23","description":"(Citation: IBM X-Force ITG23 Oct 2021)"},{"source_name":"FIN12","description":"(Citation: Mandiant FIN12 Oct 2021)"},{"source_name":"Periwinkle Tempest","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"DEV-0193","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"GOLD BLACKBURN","description":"(Citation: Secureworks Gold Blackburn Mar 2022)"},{"source_name":"DHS/CISA Ransomware Targeting Healthcare October 2020","description":"DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.","url":"https://us-cert.cisa.gov/ncas/alerts/aa20-302a"},{"source_name":"FireEye Ryuk and Trickbot January 2019","description":"Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.","url":"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"},{"source_name":"CrowdStrike Ryuk January 2019","description":"Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.","url":"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"},{"source_name":"CrowdStrike Grim Spider May 2019","description":"John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.","url":"https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/"},{"source_name":"FireEye KEGTAP SINGLEMALT October 2020","description":"Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.","url":"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"},{"source_name":"CrowdStrike Wizard Spider October 2020","description":"Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.","url":"https://www.crowdstrike.com/blog/wizard-spider-adversary-update/"},{"source_name":"Secureworks Gold Blackburn Mar 2022","description":"Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.","url":"https://www.secureworks.com/research/threat-profiles/gold-blackburn"},{"source_name":"Mandiant FIN12 Oct 2021","description":"Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.","url":"https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf"},{"source_name":"IBM X-Force ITG23 Oct 2021","description":"Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.","url":"https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-17T16:13:43.697Z","name":"TEMP.Veles","description":"[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)","aliases":["TEMP.Veles","XENOTIME"],"x_mitre_deprecated":false,"x_mitre_version":"1.4","x_mitre_contributors":["Dragos Threat Intelligence"],"type":"intrusion-set","id":"intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4","created":"2019-04-16T15:14:38.533Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0088","external_id":"G0088"},{"source_name":"TEMP.Veles","description":"(Citation: FireEye TRITON 2019)"},{"source_name":"Dragos Xenotime 2018","description":"Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.","url":"https://dragos.com/resource/xenotime/"},{"source_name":"FireEye TEMP.Veles 2018","description":"FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.","url":"https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html"},{"source_name":"FireEye TRITON 2019","description":"Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.","url":"https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html"},{"source_name":"FireEye TEMP.Veles JSON April 2019","description":"Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.","url":"https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html"},{"source_name":"Pylos Xenotime 2019","description":"Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.","url":"https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/"},{"source_name":"XENOTIME","description":"The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609).(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-20T20:18:06.745Z","name":"Network Connection Creation","description":"Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)","x_mitre_data_source_ref":"x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3","x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"x-mitre-data-component","id":"x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba","created":"2021-10-20T15:05:19.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.273Z","name":"Windows Registry Key Deletion","description":"Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)","x_mitre_data_source_ref":"x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.273Z","name":"Drive Creation","description":"Initial construction of a drive letter or mount point to a data storage device","x_mitre_data_source_ref":"x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.271Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.271Z","name":"Firmware Modification","description":"Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)","x_mitre_data_source_ref":"x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2022-03-30T14:26:51.805Z","name":"File Deletion","description":"Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)","x_mitre_data_source_ref":"x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.271Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.271Z","name":"Scheduled Job Modification","description":"Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)","x_mitre_data_source_ref":"x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-01-08T22:13:27.588Z","name":"FIN6","description":"[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)","aliases":["FIN6","Magecart Group 6","ITG08","Skeleton Spider","TAAL","Camouflage Tempest"],"x_mitre_deprecated":false,"x_mitre_version":"4.0","x_mitre_contributors":["Center for Threat-Informed Defense (CTID)","Drew Church, Splunk"],"type":"intrusion-set","id":"intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb","created":"2017-05-31T21:32:06.015Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0037","external_id":"G0037"},{"source_name":"Skeleton Spider","description":"(Citation: Crowdstrike Global Threat Report Feb 2018)"},{"source_name":"FIN6","description":"(Citation: FireEye FIN6 April 2016)"},{"source_name":"TAAL","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"Camouflage Tempest","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"Magecart Group 6","description":"(Citation: Security Intelligence ITG08 April 2020)"},{"source_name":"ITG08","description":"(Citation: Security Intelligence More Eggs Aug 2019)"},{"source_name":"Crowdstrike Global Threat Report Feb 2018","description":"CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.","url":"https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report"},{"source_name":"FireEye FIN6 April 2016","description":"FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.","url":"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"},{"source_name":"FireEye FIN6 Apr 2019","description":"McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.","url":"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"},{"source_name":"Security Intelligence ITG08 April 2020","description":"Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.","url":"https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/"},{"source_name":"Security Intelligence More Eggs Aug 2019","description":"Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.","url":"https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.273Z","name":"Service Modification","description":"Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)","x_mitre_data_source_ref":"x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-28T20:49:53.223Z","name":"GOLD SOUTHFIELD","description":"[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)","aliases":["GOLD SOUTHFIELD","Pinchy Spider"],"x_mitre_deprecated":false,"x_mitre_version":"2.0","x_mitre_contributors":["Thijn Bukkems, Amazon"],"type":"intrusion-set","id":"intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133","created":"2020-09-22T19:41:27.845Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0115","external_id":"G0115"},{"source_name":"Pinchy Spider","description":"(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)"},{"source_name":"Secureworks REvil September 2019","description":"Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.","url":"https://www.secureworks.com/research/revil-sodinokibi-ransomware"},{"source_name":"CrowdStrike Evolution of Pinchy Spider July 2021","description":"Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.","url":"https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/"},{"source_name":"Secureworks GandCrab and REvil September 2019","description":"Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.","url":"https://www.secureworks.com/blog/revil-the-gandcrab-connection"},{"source_name":"Secureworks GOLD SOUTHFIELD","description":"Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.","url":"https://www.secureworks.com/research/threat-profiles/gold-southfield"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-08-26T16:33:33.984Z","name":"APT38","description":"[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.","aliases":["APT38","NICKEL GLADSTONE","BeagleBoyz","Bluenoroff","Stardust Chollima","Sapphire Sleet","COPERNICIUM"],"x_mitre_deprecated":false,"x_mitre_version":"3.0","type":"intrusion-set","id":"intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340","created":"2019-01-29T21:27:24.793Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0082","external_id":"G0082"},{"source_name":"BeagleBoyz","description":"(Citation: CISA AA20-239A BeagleBoyz August 2020)"},{"source_name":"Stardust Chollima","description":"(Citation: CrowdStrike Stardust Chollima Profile April 2018)(Citation: CrowdStrike GTR 2021 June 2021)"},{"source_name":"APT38","description":"(Citation: FireEye APT38 Oct 2018)"},{"source_name":"Bluenoroff","description":"(Citation: Kaspersky Lazarus Under The Hood Blog 2017)"},{"source_name":"Sapphire Sleet","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"COPERNICIUM","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"NICKEL GLADSTONE","description":"(Citation: SecureWorks NICKEL GLADSTONE profile Sept 2021)"},{"source_name":"CrowdStrike GTR 2021 June 2021","description":"CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021.","url":"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf"},{"source_name":"DOJ North Korea Indictment Feb 2021","description":"Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021.","url":"https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and"},{"source_name":"CISA AA20-239A BeagleBoyz August 2020","description":"DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.","url":"https://us-cert.cisa.gov/ncas/alerts/aa20-239a"},{"source_name":"FireEye APT38 Oct 2018","description":"FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.","url":"https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf"},{"source_name":"Kaspersky Lazarus Under The Hood Blog 2017","description":"GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.","url":"https://securelist.com/lazarus-under-the-hood/77908/"},{"source_name":"CrowdStrike Stardust Chollima Profile April 2018","description":"Meyers, Adam. (2018, April 6). Meet CrowdStrike’s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021.","url":"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"},{"source_name":"SecureWorks NICKEL GLADSTONE profile Sept 2021","description":"SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021.","url":"https://www.secureworks.com/research/threat-profiles/nickel-gladstone"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.271Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.271Z","name":"Scheduled Job Creation","description":"Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)","x_mitre_data_source_ref":"x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-10T18:39:36.997Z","name":"CyberAv3ngers","description":"The [CyberAv3ngers](https://attack.mitre.org/groups/G1027) are a suspected Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT group. The [CyberAv3ngers](https://attack.mitre.org/groups/G1027) have been known to be active since at least 2020, with disputed and false claims of critical infrastructure compromises in Israel.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)\n\nIn 2023, the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) engaged in a global targeting and hacking of the Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) with [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). This PLC can be found in multiple sectors, including water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the devices user interface.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)","aliases":["CyberAv3ngers","Soldiers of Soloman"],"x_mitre_deprecated":false,"x_mitre_version":"1.0","type":"intrusion-set","id":"intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa","created":"2024-03-25T19:57:07.829Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G1027","external_id":"G1027"},{"source_name":"Soldiers of Soloman","description":"CyberAv3ngers reportedly has connections to the IRGC-linked group Soldiers of Solomon.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)"},{"source_name":"CISA AA23-335A IRGC-Affiliated December 2023","description":"DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["ics-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-10-14T22:11:30.271Z","name":"Application Log","description":"Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["IaaS","Linux","SaaS","Windows","macOS","Office Suite"],"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_collection_layers":["Cloud Control Plane","Host"],"type":"x-mitre-data-source","id":"x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0015","external_id":"DS0015"},{"source_name":"Confluence Logs","description":"Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.","url":"https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2024-10-14T22:11:30.271Z","name":"User Account","description":"A profile representing a user, device, service, or application used to authenticate and access resources","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Containers","IaaS","Linux","SaaS","Windows","macOS","Office Suite","Identity Provider"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack"],"x_mitre_version":"1.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Cloud Control Plane","Container","Host"],"type":"x-mitre-data-source","id":"x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6","created":"2021-10-20T15:05:19.271Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0002","external_id":"DS0002"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"x_mitre_platforms":["Linux","Windows","macOS"],"x_mitre_domains":["enterprise-attack"],"x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Host"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e","type":"x-mitre-data-source","created":"2021-10-20T15:05:19.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0033","external_id":"DS0033"},{"source_name":"Microsoft NFS Overview","description":"Microsoft. (2018, July 9). Network File System overview. Retrieved September 28, 2021.","url":"https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview"}],"modified":"2022-03-30T14:26:51.806Z","name":"Network Share","description":"A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-12-07T19:35:34.863Z","name":"File","description":"A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)","x_mitre_platforms":["Linux","Network","Windows","macOS"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Host"],"type":"x-mitre-data-source","id":"x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0022","external_id":"DS0022"},{"source_name":"Microsoft File Mgmt","description":"Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021.","url":"https://docs.microsoft.com/en-us/windows/win32/fileio/file-management"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-20T18:38:26.515Z","name":"Process","description":"Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)","x_mitre_platforms":["Linux","Windows","macOS","Android","iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_version":"1.1","x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Host"],"type":"x-mitre-data-source","id":"x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0009","external_id":"DS0009"},{"source_name":"Microsoft Processes and Threads","description":"Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.","url":"https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Linux","Windows","macOS"],"x_mitre_domains":["enterprise-attack"],"x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Host"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb","type":"x-mitre-data-source","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0019","external_id":"DS0019"},{"source_name":"Microsoft Services","description":"Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.","url":"https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications"},{"source_name":"Linux Services Run Levels","description":"The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.","url":"https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/"}],"modified":"2022-03-30T14:26:51.807Z","name":"Service","description":"A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-24T19:14:55.615Z","name":"Operational Databases","description":"Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred","x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_collection_layers":["Host"],"type":"x-mitre-data-source","id":"x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552","created":"2022-05-11T16:22:58.802Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0040","external_id":"DS0040"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-20T18:38:13.356Z","name":"Network Traffic","description":"Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)","x_mitre_platforms":["IaaS","Linux","Windows","macOS","Android","iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_version":"1.1","x_mitre_contributors":["Center for Threat-Informed Defense (CTID)","ExtraHop"],"x_mitre_collection_layers":["Cloud Control Plane","Host","Network"],"type":"x-mitre-data-source","id":"x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3","created":"2021-10-20T15:05:19.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0029","external_id":"DS0029"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-20T18:38:00.625Z","name":"Command","description":"A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)","x_mitre_platforms":["Containers","Linux","Network","Windows","macOS","Android","iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_version":"1.1","x_mitre_contributors":["Center for Threat-Informed Defense (CTID)","Austin Clark, @c2defense"],"x_mitre_collection_layers":["Container","Host"],"type":"x-mitre-data-source","id":"x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0017","external_id":"DS0017"},{"source_name":"Confluence Linux Command Line","description":"Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.","url":"https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html"},{"source_name":"Audit OSX","description":"Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.","url":"https://www.scip.ch/en/?labs.20150108"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Containers","Linux","Windows","macOS"],"x_mitre_domains":["enterprise-attack"],"x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Container","Host"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883","type":"x-mitre-data-source","created":"2021-10-20T15:05:19.271Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0003","external_id":"DS0003"},{"source_name":"Microsoft Tasks","description":"Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.","url":"https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks"}],"modified":"2022-03-30T14:26:51.806Z","name":"Scheduled Job","description":"Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-24T19:14:15.637Z","name":"Asset","description":"Data sources with information about the set of devices found within the network, along with their current software and configurations","x_mitre_deprecated":false,"x_mitre_domains":["ics-attack"],"x_mitre_version":"1.0","x_mitre_collection_layers":["Host"],"type":"x-mitre-data-source","id":"x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c","created":"2022-05-11T16:22:58.802Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0039","external_id":"DS0039"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Windows"],"x_mitre_domains":["enterprise-attack","ics-attack"],"x_mitre_collection_layers":["Host"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0","type":"x-mitre-data-source","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0024","external_id":"DS0024"},{"source_name":"Microsoft Registry","description":"Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.","url":"https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry"}],"modified":"2022-05-11T14:00:00.188Z","name":"Windows Registry","description":"A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Linux","Windows","macOS"],"x_mitre_domains":["enterprise-attack"],"x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Host"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563","type":"x-mitre-data-source","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0011","external_id":"DS0011"},{"source_name":"Microsoft LoadLibrary","description":"Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.","url":"https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya"},{"source_name":"Microsoft Module Class","description":"Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.","url":"https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module"}],"modified":"2022-03-30T14:26:51.806Z","name":"Module","description":"Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-10-14T22:11:30.271Z","name":"Logon Session","description":"Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["IaaS","Linux","SaaS","Windows","macOS","Office Suite","Identity Provider"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack"],"x_mitre_version":"1.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Cloud Control Plane","Host","Network"],"type":"x-mitre-data-source","id":"x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891","created":"2021-10-20T15:05:19.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0028","external_id":"DS0028"},{"source_name":"Microsoft Audit Logon Events","description":"Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.","url":"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"x_mitre_platforms":["Linux","Windows","macOS"],"x_mitre_domains":["enterprise-attack"],"x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Host"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065","type":"x-mitre-data-source","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0016","external_id":"DS0016"},{"source_name":"Sysmon EID 9","description":"Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.","url":"https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread"}],"modified":"2022-03-30T14:26:51.804Z","name":"Drive","description":"A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-12-07T19:50:56.964Z","name":"Script","description":"A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)","x_mitre_platforms":["Windows"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack"],"x_mitre_version":"1.1","x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Host"],"type":"x-mitre-data-source","id":"x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0012","external_id":"DS0012"},{"source_name":"FireEye PowerShell Logging","description":"Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021.","url":"https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html"},{"source_name":"Microsoft AMSI","description":"Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021.","url":"https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"},{"source_name":"Microsoft PowerShell Logging","description":"Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021.","url":"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Linux","Windows","macOS"],"x_mitre_domains":["enterprise-attack"],"x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Host"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f","type":"x-mitre-data-source","created":"2021-10-20T15:05:19.265Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0001","external_id":"DS0001"}],"modified":"2022-03-30T14:26:51.805Z","name":"Firmware","description":"Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["ics-attack"],"id":"intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6","type":"intrusion-set","created":"2018-01-16T16:13:52.465Z","revoked":true,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0057","external_id":"G0057"}],"modified":"2018-10-17T00:17:13.469Z","name":"APT34","x_mitre_version":"1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2018-10-17T00:14:20.652Z","relationship_type":"revoked-by","source_ref":"intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6","target_ref":"intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb","created":"2022-04-15T22:05:32.209Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-15T22:05:32.209Z","relationship_type":"revoked-by","source_ref":"intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71","target_ref":"intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c","created":"2023-09-27T13:17:12.592Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Andy Greenberg June 2017","description":"Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023.","url":"https://www.wired.com/story/russian-hackers-attack-ukraine/"},{"source_name":"US District Court Indictment GRU Unit 74455 October 2020","description":"Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.","url":"https://www.justice.gov/opa/press-release/file/1328521/download"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-27T13:37:24.610Z","description":"(Citation: Andy Greenberg June 2017) (Citation: US District Court Indictment GRU Unit 74455 October 2020)","relationship_type":"attributed-to","source_ref":"campaign--46421788-b6e1-4256-b351-f8beffd1afba","target_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--538e5653-137a-4ce2-8b08-5ba69caa794a","created":"2024-03-25T17:58:07.886Z","revoked":false,"external_references":[{"source_name":"FireEye TRITON Dec 2017","description":"Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.","url":"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"},{"source_name":"FireEye TEMP.Veles 2018","description":"FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.","url":"https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-25T17:58:07.886Z","description":"(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TRITON Dec 2017)","relationship_type":"attributed-to","source_ref":"campaign--45a98f02-852f-49b2-94c0-c63207bebbbf","target_ref":"intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--90647f03-38a4-4364-a3af-53640a81360e","created":"2023-03-31T18:11:19.943Z","revoked":false,"external_references":[{"source_name":"Joe Slowik August 2019","description":"Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ","url":"https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf"},{"source_name":"US District Court Indictment GRU Unit 74455 October 2020","description":"Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.","url":"https://www.justice.gov/opa/press-release/file/1328521/download"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T18:11:19.943Z","description":"(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Joe Slowik August 2019)","relationship_type":"attributed-to","source_ref":"campaign--aa73efef-1418-4dbe-b43c-87a498e97234","target_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9a55e351-d3b7-460a-9a9d-6714c00db5f0","created":"2024-03-25T19:59:09.628Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CISA AA23-335A IRGC-Affiliated December 2023","description":"DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-19T19:42:09.274Z","description":"(Citation: CISA AA23-335A IRGC-Affiliated December 2023)","relationship_type":"attributed-to","source_ref":"campaign--8fda050f-470d-4401-994e-35c1a6c301de","target_ref":"intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d3717846-eaab-4fde-99f6-a972dec9323b","created":"2024-03-27T19:43:45.213Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Dragos-Sandworm-Ukraine-2022","description":"Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024.","url":"https://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/"},{"source_name":"Mandiant-Sandworm-Ukraine-2022","description":"Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.","url":"https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-10T16:02:58.250Z","description":"(Citation: Mandiant-Sandworm-Ukraine-2022)(Citation: Dragos-Sandworm-Ukraine-2022) ","relationship_type":"attributed-to","source_ref":"campaign--df8eb785-70f8-4300-b444-277ba849083d","target_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","type":"identity","identity_class":"organization","created":"2017-06-01T00:00:00.000Z","modified":"2017-06-01T00:00:00.000Z","name":"The MITRE Corporation"},{"definition":{"statement":"Copyright 2015-2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation."},"id":"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168","type":"marking-definition","created":"2017-06-01T00:00:00.000Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","definition_type":"statement","x_mitre_attack_spec_version":"2.1.0"}],"spec_version":"2.0"}
\ No newline at end of file
+{"type": "bundle", "id": "bundle--afbe7faa-1b31-4738-b702-c698024876c8", "objects": [{"type": "x-mitre-matrix", "id": "x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/matrices/ics/", "external_id": "ics-attack"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:34.561Z", "name": "ATT&CK for ICS", "description": "The full ATT&CK for ICS Matrix includes techniques spanning various ICS assets and can be used to navigate through the knowledge base.", "tactic_refs": ["x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a", "x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45", "x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac", "x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046", "x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7", "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453", "x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924", "x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9", "x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f", "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134", "x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024", "x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "created": "2019-06-11T17:06:56.230Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0948", "external_id": "M0948"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:25.920Z", "name": "Application Isolation and Sandboxing", "description": "Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.", "labels": ["IEC 62443-3-3:2013 - SR 5.4", "IEC 62443-4-2:2019 - CR 5.4", "NIST SP 800-53 Rev. 5 - SI-3"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "created": "2019-06-11T16:33:55.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0937", "external_id": "M0937"}, {"source_name": "Centre for the Protection of National Infrastructure February 2005", "description": "Centre for the Protection of National Infrastructure 2005, February FIREWALL DEPLOYMENT FOR SCADA AND PROCESS CONTROL NETWORKS Retrieved. 2020/09/17 ", "url": "https://www.energy.gov/sites/prod/files/Good%20Practices%20Guide%20for%20Firewall%20Deployment.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:26.074Z", "name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)", "labels": ["IEC 62443-3-3:2013 - SR 5.1", "IEC 62443-4-2:2019 - CR 5.1", "NIST SP 800-53 Rev. 5 - AC-3; SC-7"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", "created": "2019-06-06T20:52:59.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0921", "external_id": "M0921"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:26.226Z", "name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "labels": ["IEC 62443-3-3:2013 - SR 2.4", "IEC 62443-4-2:2019 - HDR 2.4", "NIST SP 800-53 Rev. 5 - SC-18"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", "created": "2023-03-22T15:49:55.439Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0818", "external_id": "M0818"}, {"source_name": "PLCTop20 Mar 2023", "description": "PLC Security, Top 20 Community. (2021, June 15). Secure PLC Coding Practices: Top 20 version 1.0. Retrieved March 22, 2023.", "url": "https://plc-security.com/content/Top_20_Secure_PLC_Coding_Practices_V1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:26.390Z", "name": "Validate Program Inputs", "description": "Devices and programs designed to interact with control system parameters should validate the format and content of all user inputs and actions to ensure the values are within intended operational ranges. These values should be evaluated and further enforced through the program logic running on the field controller. If a problematic or invalid input is identified, the programs should either utilize a predetermined safe value or enter a known safe state, while also logging or alerting on the event.(Citation: PLCTop20 Mar 2023)", "labels": ["IEC 62443-3-3:2013 - SR 3.5", "IEC 62443-3-3:2013 - SR 3.6", "IEC 62443-4-2:2019 - CR 3.5", "IEC 62443-4-2:2019 - CR 3.6", "NIST SP 800-53 Rev. 5 - SI-10"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "created": "2019-06-10T20:41:03.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0930", "external_id": "M0930"}, {"source_name": "IEC August 2013", "description": "IEC 2013, August Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/7033"}, {"source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:26.551Z", "name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)", "labels": ["IEC 62443-3-3:2013 - SR 5.1", "IEC 62443-4-2:2019 - CR 5.1", "NIST SP 800-53 Rev. 5 - AC-3"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", "created": "2019-06-11T17:00:01.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0944", "external_id": "M0944"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:26.729Z", "name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "labels": ["IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", "NIST SP 800-53 Rev. 5 - CM-7"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", "created": "2019-06-06T16:39:58.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0915", "external_id": "M0915"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:26.911Z", "name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "created": "2019-06-10T20:46:02.263Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0931", "external_id": "M0931"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:27.092Z", "name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.", "labels": ["IEC 62443-3-3:2013 - SR 6.2", "IEC 62443-4-2:2019 - CR 6.2", "NIST SP 800-53 Rev. 5 - SI-4"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", "created": "2019-06-06T20:58:59.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0924", "external_id": "M0924"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:27.274Z", "name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "labels": ["IEC 62443-3-3:2013 - SR 2.1", "IEC 62443-4-2:2019 - CR 2.1", "NIST SP 800-53 Rev. 5 - AC-6"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0803", "external_id": "M0803"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:27.444Z", "name": "Data Loss Prevention", "description": "Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.", "labels": ["IEC 62443-3-3:2013 - SR 4.1", "IEC 62443-4-2:2019 - CR 4.1"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2025-03-12T16:11:54.933Z", "name": "Access Management", "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)", "labels": ["IEC 62443-3-3:2013 - SR 2.1", "IEC 62443-4-2:2019 - CR 2.1", "NIST SP 800-53 Rev. 5 - AC-3"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "course-of-action", "id": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0801", "external_id": "M0801"}, {"source_name": "Centre for the Protection of National Infrastructure November 2010", "description": "Centre for the Protection of National Infrastructure 2010, November Configuring and Managing Remote Access for Industrial Control Systems Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/RP_Managing_Remote_Access_S508NC.pdf"}, {"source_name": "McCarthy, J et al. July 2018", "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", "url": "https://doi.org/10.6028/NIST.SP.1800-2"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "course-of-action", "id": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0816", "external_id": "M0816"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:27.652Z", "name": "Mitigation Limited or Not Effective", "description": "This type of attack technique cannot be easily mitigated with preventative controls since it is based on the abuse of system features.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "created": "2019-06-11T17:10:57.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0950", "external_id": "M0950"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:27.827Z", "name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "labels": ["IEC 62443-3-3:2013 - SR 3.2", "IEC 62443-4-2:2019 - CR 3.2", "NIST SP 800-53 Rev. 5 - SI-16"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", "created": "2019-06-11T16:30:16.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0935", "external_id": "M0935"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:27.991Z", "name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "labels": ["IEC 62443-3-3:2013 - SR 5.1", "IEC 62443-4-2:2019 - CR 5.1", "NIST SP 800-53 Rev. 5 - AC-3; SC-7"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "created": "2019-06-11T16:35:25.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0938", "external_id": "M0938"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:28.155Z", "name": "Execution Prevention", "description": "Block execution of code on a system through application control, and/or script blocking.", "labels": ["IEC 62443-3-3:2013 - SR 3.2", "IEC 62443-4-2:2019 - CR 3.2", "NIST SP 800-53 Rev. 5 - SI-3"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0814", "external_id": "M0814"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:28.312Z", "name": "Static Network Configuration", "description": "Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.", "labels": ["IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", "NIST SP 800-53 Rev. 5 - CM-7"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "created": "2019-06-06T21:10:35.792Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0927", "external_id": "M0927"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:28.470Z", "name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "labels": ["IEC 62443-3-3:2013 - SR 1.5", "IEC 62443-4-2:2019 - CR 1.5", "NIST SP 800-53 Rev. 5 - IA-5"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "created": "2019-06-06T21:09:47.115Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0926", "external_id": "M0926"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:28.652Z", "name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "labels": ["IEC 62443-3-3:2013 - SR 1.3", "IEC 62443-4-2:2019 - CR 1.3", "NIST SP 800-53 Rev. 5 - AC-2"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2023-10-20T17:02:00.299Z", "name": "Human User Authentication", "description": "Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).", "labels": ["IEC 62443-3-3:2013 - SR 1.1", "IEC 62443-4-2:2019 - CR 1.1", "NIST SP 800-53 Rev. 5 - IA-2"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0804", "external_id": "M0804"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "course-of-action", "id": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", "created": "2019-06-06T20:15:34.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0920", "external_id": "M0920"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:28.819Z", "name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "created": "2019-06-11T17:01:25.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0945", "external_id": "M0945"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:28.975Z", "name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "labels": ["IEC 62443-3-3:2013 - SR 3.4", "IEC 62443-4-2:2019 - CR 3.4", "NIST SP 800-53 Rev. 5 - SI-7"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-10-14T20:31:04.927Z", "name": "Software Process and Device Authentication", "description": "Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.", "labels": ["IEC 62443-3-3:2013 - SR 1.2", "IEC 62443-4-2:2019 - CR 1.2", "NIST SP 800-53 Rev. 5 - IA-3"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0813", "external_id": "M0813"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "course-of-action", "id": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0808", "external_id": "M0808"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:29.147Z", "name": "Encrypt Network Traffic", "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.", "labels": ["IEC 62443-3-3:2013 - SR 4.1", "IEC 62443-4-2:2019 - CR 4.1", "NIST SP 800-53 Rev. 5 - SC-8"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", "created": "2019-06-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0936", "external_id": "M0936"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:29.323Z", "name": "Account Use Policies", "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", "labels": ["IEC 62443-3-3:2013 - SR 1.11", "IEC 62443-4-2:2019 - CR 1.11", "NIST SP 800-53 Rev. 5 - IA-5"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", "created": "2017-10-25T14:48:53.732Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0913", "external_id": "M0913"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:29.489Z", "name": "Application Developer Guidance", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "labels": ["NIST SP 800-53 Rev. 4 - AT-3", "NIST SP 800-53 Rev. 4 - AT-3"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", "created": "2019-06-11T17:02:36.984Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0946", "external_id": "M0946"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:29.725Z", "name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "labels": ["IEC 62443-4-2:2019 - CR 3.14", "NIST SP 800-53 Rev. 5 - SI-7"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0805", "external_id": "M0805"}, {"source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:29.910Z", "name": "Mechanical Protection Layers", "description": "Utilize a layered protection design based on physical or mechanical protection systems to prevent damage to property, equipment, human safety, or the environment. Examples include interlocks, rupture disk, release values, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "created": "2019-06-11T17:12:55.207Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0951", "external_id": "M0951"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:30.090Z", "name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.", "labels": ["IEC 62443-4-2:2019 - CR 3.10", "NIST SP 800-53 Rev. 5 - SI-2"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0815", "external_id": "M0815"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:30.248Z", "name": "Watchdog Timers", "description": "Utilize watchdog timers to ensure devices can quickly detect whether a system is unresponsive.", "labels": ["IEC 62443-4-2:2019 - CR 7.2"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0809", "external_id": "M0809"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:30.453Z", "name": "Operational Information Confidentiality", "description": "Deploy mechanisms to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).", "labels": ["IEC 62443-3-3:2013 - SR 4.1", "IEC 62443-4-2:2019 - CR 4.1"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0928", "external_id": "M0928"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:30.648Z", "name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "labels": ["IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", "NIST SP 800-53 Rev. 5 - CM-7"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", "created": "2019-06-11T16:28:41.809Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0934", "external_id": "M0934"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:30.822Z", "name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "labels": ["IEC 62443-3-3:2013 - SR 3.2", "IEC 62443-4-2:2019 - EDR 3.2", "NIST SP 800-53 Rev. 5 - MP-7"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "created": "2019-06-11T16:43:44.834Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0941", "external_id": "M0941"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:31.005Z", "name": "Encrypt Sensitive Information", "description": "Protect sensitive data-at-rest with strong encryption.", "labels": ["IEC 62443-3-3:2013 - SR 4.1", "IEC 62443-4-2:2019 - CR 4.1", "NIST SP 800-53 Rev. 5 - SC-28"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "created": "2019-06-10T20:53:36.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0807", "external_id": "M0807"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:31.149Z", "name": "Network Allowlists", "description": "Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", "labels": ["NIST SP 800-53 Rev. 5 - AC-3"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", "created": "2021-04-12T17:00:21.233Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0817", "external_id": "M0817"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:31.301Z", "name": "Supply Chain Management", "description": "Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.", "labels": ["NIST SP 800-53 Rev. 4 - SA-12", "NIST SP 800-53 Rev. 5 - SR-1"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "created": "2019-07-19T14:33:33.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0953", "external_id": "M0953"}, {"source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:31.496Z", "name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.", "labels": ["IEC 62443-3-3:2013 - SR 7.3", "IEC 62443-4-2:2019 - CR 7.3", "NIST SP 800-53 Rev. 5 - CP-9"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0810", "external_id": "M0810"}, {"source_name": "Defense Advanced Research Projects Agency", "description": "Defense Advanced Research Projects Agency National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 Rapid Attack Detection, Isolation and Characterization Systems (RADICS) Retrieved. 2020/09/17 ", "url": "https://www.darpa.mil/program/rapid-attack-detection-isolation-and-characterization-systems"}, {"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:31.696Z", "name": "Out-of-Band Communications Channel", "description": "Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)", "labels": ["NIST SP 800-53 Rev. 5 - SC-37"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "created": "2019-06-11T17:06:14.029Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0947", "external_id": "M0947"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:31.848Z", "name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.", "labels": ["IEC 62443-3-3:2013 - SR 3.4", "IEC 62443-4-2:2019 - CR 3.4", "NIST SP 800-53 Rev. 4 - SI-7", "NIST SP 800-53 Rev. 5 - SI-7"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0802", "external_id": "M0802"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:32.013Z", "name": "Communication Authenticity", "description": "When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.", "labels": ["IEC 62443-3-3:2013 - SR 3.1", "IEC 62443-4-2:2019 - CR 3.1", "NIST SP 800-53 Rev. 5 - SC-8; SC-23"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "created": "2019-06-11T16:45:19.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0942", "external_id": "M0942"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:32.177Z", "name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "labels": ["IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", "NIST SP 800-53 Rev. 5 - CM-7"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", "created": "2019-06-06T19:55:50.927Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0919", "external_id": "M0919"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:32.342Z", "name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0812", "external_id": "M0812"}, {"source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:32.513Z", "name": "Safety Instrumented Systems", "description": "Utilize Safety Instrumented Systems (SIS) to provide an additional layer of protection to hazard scenarios that may cause property damage. A SIS will typically include sensors, logic solvers, and a final control element that can be used to automatically respond to an hazardous condition (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) . Ensure that all SISs are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", "created": "2019-06-06T16:50:04.963Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0917", "external_id": "M0917"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:32.717Z", "name": "User Training", "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "labels": ["NIST SP 800-53 Rev. 5 - AT-2"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", "created": "2019-06-10T20:53:36.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0932", "external_id": "M0932"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:32.907Z", "name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Within industrial control environments assets such as low-level controllers, workstations, and HMIs have real-time operational control and safety requirements which may restrict the use of multi-factor.", "labels": ["IEC 62443-3-3:2013 - SR 1.7", "IEC 62443-4-2:2019 - CR 1.7", "NIST SP 800-53 Rev. 5 - IA-2"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", "created": "2019-06-06T16:47:30.700Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0916", "external_id": "M0916"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:33.110Z", "name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "labels": ["NIST SP 800-53 Rev. 5 - RA-5"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2023-10-20T17:01:38.562Z", "name": "Authorization Enforcement", "description": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)", "labels": ["IEC 62443-3-3:2013 - SR 2.1", "IEC 62443-4-2:2019 - CR 2.1", "NIST SP 800-53 Rev. 5 - AC-3"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0800", "external_id": "M0800"}, {"source_name": "Institute of Electrical and Electronics Engineers January 2014", "description": "Institute of Electrical and Electronics Engineers 2014, January 1686-2013 - IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities Retrieved. 2020/09/17 ", "url": "https://standards.ieee.org/standard/1686-2013.html"}, {"source_name": "International Electrotechnical Commission July 2020", "description": "International Electrotechnical Commission 2020, July 17 IEC 62351 - Power systems management and associated information exchange - Data and communications security Retrieved. 2020/09/17 ", "url": "https://webstore.iec.ch/publication/6912"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "course-of-action", "id": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "created": "2019-06-06T16:50:58.767Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0918", "external_id": "M0918"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:33.298Z", "name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "labels": ["IEC 62443-3-3:2013 - SR 1.3", "IEC 62443-4-2:2019 - CR 1.3", "NIST SP 800-53 Rev. 5 - AC-2"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0811", "external_id": "M0811"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:33.475Z", "name": "Redundancy of Service", "description": "Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.", "labels": ["NIST SP 800-53 Rev. 5 - CP-9"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "created": "2019-06-06T20:54:49.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0922", "external_id": "M0922"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:33.651Z", "name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "labels": ["IEC 62443-3-3:2013 - SR 2.1", "IEC 62443-4-2:2019 - CR 2.1", "NIST SP 800-53 Rev. 5 - AC-6"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21", "created": "2019-07-19T14:40:23.529Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0954", "external_id": "M0954"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:33.833Z", "name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated with how the software operates.", "labels": ["IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", "NIST SP 800-53 Rev. 5 - CM-7"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", "created": "2019-06-11T17:08:33.055Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0949", "external_id": "M0949"}, {"source_name": "NCCIC August 2018", "description": "NCCIC 2018, August 2 Recommended Practice: Updating Antivirus in an Industrial Control System Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/Recommended%20Practice%20Updating%20Antivirus%20in%20an%20Industrial%20Control%20System_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:34.009Z", "name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. (Citation: NCCIC August 2018)", "labels": ["IEC 62443-3-3:2013 - SR 3.2", "IEC 62443-4-2:2019 - CR 3.2", "NIST SP 800-53 Rev. 4 - SI-3", "NIST SP 800-53 Rev. 5 - SI-3"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0806", "external_id": "M0806"}, {"source_name": "CISA March 2010", "description": "CISA 2010, March Securing Wireless Networks Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/ncas/tips/ST05-003"}, {"source_name": "DHS National Urban Security Technology Laboratory April 2019", "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:34.172Z", "name": "Minimize Wireless Signal Propagation", "description": "Wireless signals frequently propagate outside of organizational boundaries, which provide opportunities for adversaries to monitor or gain unauthorized access to the wireless network. (Citation: CISA March 2010) To minimize this threat, organizations should implement measures to detect, understand, and reduce unnecessary RF propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)", "labels": ["IEC 62443-3-3:2013 - SR 1.6", "IEC 62443-4-2:2019 - CR 1.6", "NIST SP 800-53 Rev. 5 - SC-40"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "created": "2021-02-12T20:07:42.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0605", "external_id": "S0605"}, {"source_name": "EKANS", "description": "(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)(Citation: FireEye Ransomware Feb 2020)"}, {"source_name": "SNAKEHOSE", "description": "(Citation: FireEye Ransomware Feb 2020)"}, {"source_name": "Dragos EKANS", "description": "Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.", "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/"}, {"source_name": "Palo Alto Unit 42 EKANS", "description": "Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.", "url": "https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/"}, {"source_name": "FireEye Ransomware Feb 2020", "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:37:51.908Z", "name": "EKANS", "description": "[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["EKANS", "SNAKEHOSE"]}, {"type": "malware", "id": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "created": "2017-05-31T21:32:59.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0093", "external_id": "S0093"}, {"source_name": "Gigamon Berserk Bear October 2021", "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf"}, {"source_name": "Symantec Dragonfly Sept 2017", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers"}, {"source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:37:53.808Z", "name": "Backdoor.Oldrea", "description": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Backdoor.Oldrea", "Havex"]}, {"modified": "2025-01-02T19:40:26.678Z", "name": "Stuxnet", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.4", "x_mitre_aliases": ["Stuxnet", "W32.Stuxnet"], "type": "malware", "id": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "created": "2020-12-14T17:34:58.457Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0603", "external_id": "S0603"}, {"source_name": "W32.Stuxnet", "description": "(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) "}, {"source_name": "CISA ICS Advisory ICSA-10-272-01", "description": "CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020.", "url": "https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01"}, {"source_name": "ESET Stuxnet Under the Microscope", "description": "Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.", "url": "https://web-assets.esetstatic.com/wls/2012/11/Stuxnet_Under_the_Microscope.pdf"}, {"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}, {"source_name": "Langer Stuxnet", "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--1d8dccb3-e779-4702-aeb1-6627a22cc585", "created": "2017-05-31T21:33:21.973Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0001", "external_id": "S1004"}, {"source_name": "ESET Win32/Industroyer", "description": "Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}, {"source_name": "Dragos Crashoverride", "description": "Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.", "url": "https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf"}, {"source_name": "CISA Alert TA17-163A CrashOverride June 2017", "description": "CISA. (2017, June 12). Alert (TA17-163A). Retrieved October 22, 2019.", "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-163A"}, {"source_name": "Dragos Crashoverride 2018", "description": "Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}, {"source_name": "Dragos Crashoverride 2019", "description": "Joe Slowik. (2019, August 15). CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack. Retrieved October 22, 2019.", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:54.754Z", "name": "Industroyer", "description": "[Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001) is a sophisticated piece of malware designed to cause an [Impact](https://collaborate.mitre.org/attackics/index.php/Impact) to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.(Citation: ESET Win32/Industroyer) Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride)(Citation: CISA Alert (TA17-163A))(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2019)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Industroyer", "CRASHOVERRIDE"]}, {"type": "malware", "id": "malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec", "created": "2017-05-31T21:32:59.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0005", "external_id": "S1001"}, {"source_name": "ESET Bad Rabbit Oct 2017", "description": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"}, {"source_name": "Kaspersky Bad Rabbit Oct 2017", "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov. (2017, October 27). Bad Rabbit Ransomware. Retrieved October 27, 2019.", "url": "https://securelist.com/bad-rabbit-ransomware/82851/"}, {"source_name": "Dragos IT Ransomware for ICS Environments Apr 2019", "description": "Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:54.935Z", "name": "Bad Rabbit", "description": "[Bad Rabbit](https://collaborate.mitre.org/attackics/index.php/Software/S0005) is a self-propagating (\u201cwormable\u201d) ransomware that affected the transportation sector in Ukraine. (Citation: ESET Bad Rabbit Oct 2017)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Bad Rabbit", "Diskcoder.D"]}, {"modified": "2025-01-02T19:45:31.402Z", "name": "Bad Rabbit", "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos Apr 2019)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["Bad Rabbit", "Win32/Diskcoder.D"], "type": "malware", "id": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "created": "2021-02-09T14:35:39.455Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0606", "external_id": "S0606"}, {"source_name": "Dragos Apr 2019", "description": "Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}, {"source_name": "ESET Bad Rabbit", "description": "M.L\u00e9veille, M-E.. (2017, October 24). Bad Rabbit: Not\u2011Petya is back with improved ransomware. Retrieved January 28, 2021.", "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"}, {"source_name": "Secure List Bad Rabbit", "description": "Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.", "url": "https://securelist.com/bad-rabbit-ransomware/82851/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--496bff4d-0700-4b28-b06f-f30a63002be7", "created": "2019-03-26T15:02:14.907Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0010", "external_id": "S1008"}, {"source_name": "Wired W32.Stuxnet Dossier Feb 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf"}, {"source_name": "Symantec W32.Stuxnet Writeup", "description": "Jarrad Shearer. (n.d.). W32.Stuxnet Writeup. Retrieved October 22, 2019.", "url": "https://www.symantec.com/security-center/writeup/2010-071400-3123-99"}, {"source_name": "CISA ICS Advisory ICSA-10-238-01B Stuxnet January 2014", "description": "CISA. (2014, January 08). Stuxnet Malware Mitigation (Update B). Retrieved October 22, 2019.", "url": "https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B"}, {"source_name": "SCADAhacker Stuxnet Mitigation Jan 2014", "description": "Joel Langill. (2014, January 21). Stuxnet Mitigation. Retrieved October 22, 2019.", "url": "https://scadahacker.com/resources/stuxnet-mitigation.html"}, {"source_name": "Langer Stuxnet Analysis Nov 2013", "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:55.125Z", "name": "Stuxnet", "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.(Citation: Wired W32.Stuxnet Dossier Feb 2011)(Citation: Symantec W32.Stuxnet Writeup)(Citation: CISA ICS Advisory (ICSA-10-238-01B))(Citation: SCADAhacker Stuxnet Mitigation Jan 2014)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Stuxnet"]}, {"type": "malware", "id": "malware--49c04994-1035-4b58-89b7-cf8956e3b423", "created": "2017-05-31T21:32:59.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0012", "external_id": "S1003"}, {"source_name": "Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary", "description": "Catalin Cimpanu. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved October 14, 2019.", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"}, {"source_name": "Symantec Conficker Jun 2015", "description": "Symantec. (2015, June 30). Simple steps to protect yourself from the Conficker Worm. Retrieved December 5, 2019.", "url": "https://support.symantec.com/us/en/article.tech93179.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:55.301Z", "name": "Conficker", "description": "[Conficker](https://collaborate.mitre.org/attackics/index.php/Software/S0012) is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant. (Citation: Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Conficker", "Downadup", "Kido"]}, {"type": "malware", "id": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "created": "2019-03-26T15:02:14.907Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1006", "external_id": "S1006"}, {"source_name": "Spenneberg, Ralf 2016", "description": "Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf"}, {"source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:24.423Z", "name": "PLC-Blaster", "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016) (Citation: Spenneberg, Ralf 2016) ", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["PLC-Blaster"]}, {"modified": "2023-10-06T14:08:40.134Z", "name": "BlackEnergy", "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.4", "x_mitre_aliases": ["BlackEnergy", "Black Energy"], "type": "malware", "id": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "created": "2017-05-31T21:32:57.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0089", "external_id": "S0089"}, {"source_name": "F-Secure BlackEnergy 2014", "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "created": "2019-03-26T15:02:14.907Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0368", "external_id": "S0368"}, {"source_name": "ExPetr", "description": "(Citation: ESET Telebots June 2017)"}, {"source_name": "Diskcoder.C", "description": "(Citation: ESET Telebots June 2017)"}, {"source_name": "GoldenEye", "description": "(Citation: Talos Nyetya June 2017)"}, {"source_name": "Nyetya", "description": "(Citation: Talos Nyetya June 2017)"}, {"source_name": "Petrwrap", "description": "(Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)"}, {"source_name": "ESET Telebots June 2017", "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.", "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/"}, {"source_name": "Talos Nyetya June 2017", "description": "Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019.", "url": "https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html"}, {"source_name": "US District Court Indictment GRU Unit 74455 October 2020", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", "url": "https://www.justice.gov/opa/press-release/file/1328521/download"}, {"source_name": "US-CERT NotPetya 2017", "description": "US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-181A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:38:09.202Z", "name": "NotPetya", "description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["NotPetya", "ExPetr", "Diskcoder.C", "GoldenEye", "Petrwrap", "Nyetya"]}, {"type": "malware", "id": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", "created": "2021-02-23T20:50:32.845Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0608", "external_id": "S0608"}, {"source_name": "Kido", "description": "(Citation: SANS Conficker) "}, {"source_name": "Downadup", "description": "(Citation: SANS Conficker) "}, {"source_name": "SANS Conficker", "description": "Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.", "url": "https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm"}, {"source_name": "Conficker Nuclear Power Plant", "description": "Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved February 18, 2021.", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:38:10.239Z", "name": "Conficker", "description": "[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Conficker", "Kido", "Downadup"]}, {"modified": "2023-10-17T20:05:34.648Z", "name": "LockerGoga", "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "2.0", "x_mitre_contributors": ["Joe Slowik - Dragos"], "x_mitre_aliases": ["LockerGoga"], "type": "malware", "id": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "created": "2019-04-16T19:00:49.435Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0372", "external_id": "S0372"}, {"source_name": "CarbonBlack LockerGoga 2019", "description": "CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification \u2013 LockerGoga Ransomware. Retrieved April 16, 2019.", "url": "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/"}, {"source_name": "Unit42 LockerGoga 2019", "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.", "url": "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--6108f800-10b8-4090-944e-be579f01263d", "created": "2019-03-26T15:02:14.907Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1010", "external_id": "S1010"}, {"source_name": "Carl Hurd March 2019", "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", "url": "https://www.youtube.com/watch?v=yuZazP22rpI"}, {"source_name": "NCSC CISA Cyclops Blink Advisory February 2022", "description": "NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.", "url": "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"}, {"source_name": "William Largent June 2018", "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:46:34.471Z", "name": "VPNFilter", "description": "[VPNFilter](https://attack.mitre.org/software/S1010) is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. [VPNFilter](https://attack.mitre.org/software/S1010) modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019) [VPNFilter](https://attack.mitre.org/software/S1010) was assessed to be replaced by [Sandworm Team](https://attack.mitre.org/groups/G0034) with [Cyclops Blink](https://attack.mitre.org/software/S0687) starting in 2019.(Citation: NCSC CISA Cyclops Blink Advisory February 2022)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Network Devices", "Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["VPNFilter"]}, {"type": "malware", "id": "malware--68dca94f-c11d-421e-9287-7c501108e18c", "created": "2017-05-31T21:32:31.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0038", "external_id": "S0038"}, {"source_name": "Symantec W32.Duqu", "description": "Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.", "url": "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:38:14.352Z", "name": "Duqu", "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Duqu"]}, {"type": "malware", "id": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "created": "2023-03-30T19:20:45.556Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1072", "external_id": "S1072"}, {"source_name": "Industroyer2 Blackhat ESET", "description": "Anton Cherepanov, Robert Lipovsky. (2022, August). Industroyer2: Sandworm's Cyberwarfare Targets Ukraine's Power Grid. Retrieved April 6, 2023.", "url": "https://www.youtube.com/watch?v=xC9iM5wVedQ"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:38:14.728Z", "name": "Industroyer2", "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Field Controller/RTU/PLC/IED", "Engineering Workstation"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Industroyer2"]}, {"type": "malware", "id": "malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830", "created": "2017-05-31T21:33:21.973Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0016", "external_id": "S1005"}, {"source_name": "ESET BlackEnergy Jan 2016", "description": "Anton Cherepanov. (n.d.). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved October 29, 2019.", "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"}, {"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:55.503Z", "name": "Killdisk", "description": "In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable. (Citation: ESET BlackEnergy Jan 2016)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Killdisk"]}, {"modified": "2024-12-09T02:29:13.859Z", "name": "WannaCry", "description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Jan Miller, CrowdStrike"], "x_mitre_aliases": ["WannaCry", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WCry"], "type": "malware", "id": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "created": "2019-03-25T17:30:17.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0366", "external_id": "S0366"}, {"source_name": "WanaCrypt0r", "description": "(Citation: LogRhythm WannaCry)"}, {"source_name": "WCry", "description": "(Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)"}, {"source_name": "WanaCry", "description": "(Citation: SecureWorks WannaCry Analysis)"}, {"source_name": "WanaCrypt", "description": "(Citation: SecureWorks WannaCry Analysis)"}, {"source_name": "FireEye WannaCry 2017", "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html"}, {"source_name": "SecureWorks WannaCry Analysis", "description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.", "url": "https://www.secureworks.com/research/wcry-ransomware-analysis"}, {"source_name": "Washington Post WannaCry 2017", "description": "Dwoskin, E. and Adam, K. (2017, May 14). More than 150 countries affected by massive cyberattack, Europol says. Retrieved March 25, 2019.", "url": "https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4"}, {"source_name": "LogRhythm WannaCry", "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved December 8, 2024.", "url": "https://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/"}, {"source_name": "US-CERT WannaCry 2017", "description": "US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-132A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-17T16:12:43.754Z", "name": "Triton", "description": "[Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.(Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)(Citation: Dragos December 2017)(Citation: DHS CISA February 2019)(Citation: Schneider Electric January 2018)(Citation: Julian Gutmanis March 2019)(Citation: Schneider December 2018)(Citation: Jos Wetzels January 2018)", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["Triton", "TRISIS", "HatMan"], "type": "malware", "id": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "created": "2019-03-26T15:02:14.907Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1009", "external_id": "S1009"}, {"source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}, {"source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}, {"source_name": "Dragos December 2017", "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf"}, {"source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}, {"source_name": "Julian Gutmanis March 2019", "description": "Julian Gutmanis 2019, March 11 Triton - A Report From The Trenches Retrieved. 2019/03/11 ", "url": "https://www.youtube.com/watch?v=XwSJ8hloGvY"}, {"source_name": "Schneider December 2018", "description": "Schneider 2018, December 14 Security Notification EcoStruxure Triconex Tricon V3 Retrieved. 2019/03/08 ", "url": "https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2017-347-01+Triconex+V3.pdf&p_Doc_Ref=SEVD-2017-347-01"}, {"source_name": "Schneider Electric January 2018", "description": "Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ", "url": "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b", "created": "2017-05-31T21:32:59.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0004", "external_id": "S1002"}, {"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:55.679Z", "name": "BlackEnergy 3", "description": "[BlackEnergy 3](https://collaborate.mitre.org/attackics/index.php/Software/S0004) is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid. (Citation: Booz Allen Hamilton)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["BlackEnergy 3"]}, {"modified": "2024-09-12T14:43:31.224Z", "name": "Fuxnet", "description": "[Fuxnet](https://attack.mitre.org/software/S1157) is malware designed to impact the industrial network infrastructure managing control system sensors for utility operations in Moscow. [Fuxnet](https://attack.mitre.org/software/S1157) is linked to an entity referred to as the Blackjack hacking group, which is assessed to be linked to Ukrainian intelligence services.(Citation: Claroty Fuxnet 2024)", "x_mitre_platforms": ["Input/Output Server", "Control Server"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Sharon Brizinov, Claroty Team82 Research"], "x_mitre_aliases": ["Fuxnet"], "type": "malware", "id": "malware--931e2489-8078-4f9f-85b2-a9211950e75b", "created": "2024-09-11T22:47:34.585Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1157", "external_id": "S1157"}, {"source_name": "Claroty Fuxnet 2024", "description": "Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.", "url": "https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f", "created": "2021-04-13T12:28:31.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0017", "external_id": "S0017"}, {"source_name": "Forbes Snake Ransomware June 2020", "description": "Davey Winder. (2020, June 10). Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations. Retrieved April 12, 2021.", "url": "https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad"}, {"source_name": "MalwareByes Honda and Enel Ransomware June 2020", "description": "MalwareBytes. (2020, June 09). Honda and Enel impacted by cyber attack suspected to be ransomware. Retrieved April 12, 2021.", "url": "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/"}, {"source_name": "Dragos EKANS February 2020", "description": "Dragos Threat Intelligence. (2020, February 03). EKANS Ransomware and ICS Operations. Retrieved April 12, 2021.", "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/"}, {"source_name": "FireEye OT Ransomware July 2020", "description": "Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved April 12, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html"}, {"source_name": "Pylos January 2020", "description": "Joe Slowik. (2020, January 28). Getting the Story Right, and Why It Matters. Retrieved April 12, 2021.", "url": "https://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/"}, {"source_name": "Dragos EKANS June 2020", "description": "Joe Slowik. (2020, June 18). EKANS Ransomware Misconceptions and Misunderstandings. Retrieved April 12, 2021.", "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/#_edn7"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:55.859Z", "name": "EKANS", "description": "[EKANS](https://collaborate.mitre.org/attackics/index.php/Software/S0017) is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.(Citation: Forbes Snake Ransomware June 2020)(Citation: MalwareByes Honda and Enel Ransomware June 2020)(Citation: Dragos EKANS February 2020) EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).(Citation: Dragos EKANS February 2020) If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the \u201cSnake\u201d malware associated with the Turla group. The ICS processes documented within the malware\u2019s kill-list is similar to those defined by the MEGACORTEX software.(Citation: FireEye OT Ransomware July 2020)(Citation: Pylos January 2020)(Citation: Dragos EKANS June 2020)The ransomware was initially reported as \u201cSnake\u201d, however, to avoid confusion with the unrelated Turla APT group security researchers spelled it backwards as EKANS.", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["EKANS", "SNAKEHOSE"]}, {"type": "malware", "id": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "created": "2020-05-13T20:14:53.171Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0446", "external_id": "S0446"}, {"source_name": "Ryuk", "description": "(Citation: CrowdStrike Ryuk January 2019) (Citation: Bleeping Computer - Ryuk WoL) "}, {"source_name": "Bleeping Computer - Ryuk WoL", "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.", "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/"}, {"source_name": "FireEye Ryuk and Trickbot January 2019", "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"}, {"source_name": "CrowdStrike Ryuk January 2019", "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"}, {"source_name": "FireEye FIN6 Apr 2019", "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:38:27.373Z", "name": "Ryuk", "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.4", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["The DFIR Report, @TheDFIRReport", "Matt Brenton, Zurich Insurance Group"], "x_mitre_aliases": ["Ryuk"]}, {"type": "malware", "id": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", "created": "2017-05-31T21:32:59.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1000", "external_id": "S1000"}, {"source_name": "ESET", "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:25.077Z", "name": "ACAD/Medre.A", "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) is a worm that steals operational information. The worm collects AutoCAD files with drawings. [ACAD/Medre.A](https://attack.mitre.org/software/S1000) has the capability to be used for industrial espionage.(Citation: ESET)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["ACAD/Medre.A"]}, {"modified": "2024-11-17T23:08:38.543Z", "name": "REvil", "description": "[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "2.2", "x_mitre_contributors": ["Edward Millington"], "x_mitre_aliases": ["REvil", "Sodin", "Sodinokibi"], "type": "malware", "id": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "created": "2020-08-04T15:06:14.796Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0496", "external_id": "S0496"}, {"source_name": "Sodin", "description": "(Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019)"}, {"source_name": "Sodinokibi", "description": "(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020)"}, {"source_name": "Talos Sodinokibi April 2019", "description": "Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.", "url": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html"}, {"source_name": "Secureworks REvil September 2019", "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware"}, {"source_name": "Cylance Sodinokibi July 2019", "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.", "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html"}, {"source_name": "Group IB Ransomware May 2020", "description": "Group IB. (2020, May). Ransomware Uncovered: Attackers\u2019 Latest Methods. Retrieved August 5, 2020.", "url": "https://www.group-ib.com/whitepapers/ransomware-uncovered.html"}, {"source_name": "G Data Sodinokibi June 2019", "description": "Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.", "url": "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data"}, {"source_name": "Intel 471 REvil March 2020", "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.", "url": "https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/"}, {"source_name": "Kaspersky Sodin July 2019", "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.", "url": "https://securelist.com/sodin-ransomware/91473/"}, {"source_name": "McAfee Sodinokibi October 2019", "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"}, {"source_name": "Picus Sodinokibi January 2020", "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.", "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware"}, {"source_name": "McAfee REvil October 2019", "description": "Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 Crescendo. Retrieved August 5, 2020.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/"}, {"source_name": "Secureworks GandCrab and REvil September 2019", "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.", "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection"}, {"source_name": "Tetra Defense Sodinokibi March 2020", "description": "Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20210414101816/https://tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-11-20T23:33:20.890Z", "name": "FrostyGoop", "description": "[FrostyGoop](https://attack.mitre.org/software/S1165) is a Windows-based binary written in Golang that allows for interaction with industrial control system (ICS) equipment via Modbus TCP over port 502. [FrostyGoop](https://attack.mitre.org/software/S1165) allows for reading and writing data to holding registers on targeted devices, manipulating the operation of systems for malicious purposes. [FrostyGoop](https://attack.mitre.org/software/S1165) is associated with the [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041) in Ukraine.(Citation: Dragos FROSTYGOOP 2024)(Citation: Nozomi BUSTLEBERM 2024)", "x_mitre_platforms": ["Control Server", "Field Controller/RTU/PLC/IED"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["FrostyGoop", "BUSTLEBERM"], "type": "malware", "id": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05", "created": "2024-11-20T23:02:16.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1165", "external_id": "S1165"}, {"source_name": "BUSTLEBERM", "description": "(Citation: Nozomi BUSTLEBERM 2024)"}, {"source_name": "Dragos FROSTYGOOP 2024", "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"}, {"source_name": "Nozomi BUSTLEBERM 2024", "description": "Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024.", "url": "https://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "created": "2022-09-28T20:07:40.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1045", "external_id": "S1045"}, {"source_name": "PIPEDREAM", "description": "(Citation: Dragos-Pipedream)(Citation: Wylie-22)"}, {"source_name": "CISA-AA22-103A", "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"}, {"source_name": "Dragos-Pipedream", "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite\u2019s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en"}, {"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}, {"source_name": "Brubaker-Incontroller", "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"}, {"source_name": "Schneider-Incontroller", "description": "Schneider Electric. (2022, April 14). Schneider Electric Security Bulletin: \u201cAPT Cyber Tools Targeting ICS/SCADA Devices\u201d . Retrieved September 28, 2022.", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2022-01"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:25.242Z", "name": "INCONTROLLER", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. [INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed [INCONTROLLER](https://attack.mitre.org/software/S1045) was developed by CHERNOVITE.(Citation: CISA-AA22-103A)(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Schneider-Incontroller)(Citation: Wylie-22) ", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay", "Engineering Workstation", "Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Jimmy Wylie, Dragos, Inc."], "x_mitre_aliases": ["INCONTROLLER", "PIPEDREAM"]}, {"modified": "2023-10-06T14:09:52.833Z", "name": "KillDisk", "description": "[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)", "x_mitre_platforms": ["Linux", "Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["KillDisk", "Win32/KillDisk.NBI", "Win32/KillDisk.NBH", "Win32/KillDisk.NBD", "Win32/KillDisk.NBC", "Win32/KillDisk.NBB"], "type": "malware", "id": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "created": "2021-01-20T18:05:07.059Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0607", "external_id": "S0607"}, {"source_name": "KillDisk Ransomware", "description": "Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.", "url": "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/"}, {"source_name": "ESEST Black Energy Jan 2016", "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.", "url": "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"}, {"source_name": "Trend Micro KillDisk 1", "description": "Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.", "url": "https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html"}, {"source_name": "Trend Micro KillDisk 2", "description": "Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.", "url": "https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T16:06:34.700Z", "name": "Industroyer", "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.1", "x_mitre_contributors": ["Dragos Threat Intelligence", "Joe Slowik - Dragos"], "x_mitre_aliases": ["Industroyer", "CRASHOVERRIDE", "Win32/Industroyer"], "type": "malware", "id": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "created": "2021-01-04T20:42:21.997Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0604", "external_id": "S0604"}, {"source_name": "CRASHOVERRIDE", "description": "(Citation: Dragos Crashoverride 2017)"}, {"source_name": "Win32/Industroyer", "description": "(Citation: ESET Industroyer)"}, {"source_name": "ESET Industroyer", "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}, {"source_name": "Dragos Crashoverride 2017", "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"}, {"source_name": "Dragos Crashoverride 2018", "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "created": "2017-05-31T21:33:21.973Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0143", "external_id": "S0143"}, {"source_name": "Flame", "description": "(Citation: Kaspersky Flame)"}, {"source_name": "sKyWIper", "description": "(Citation: Kaspersky Flame) (Citation: Crysys Skywiper)"}, {"source_name": "Flamer", "description": "(Citation: Kaspersky Flame) (Citation: Symantec Beetlejuice)"}, {"source_name": "Kaspersky Flame", "description": "Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.", "url": "https://securelist.com/the-flame-questions-and-answers-51/34344/"}, {"source_name": "Crysys Skywiper", "description": "sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.", "url": "https://www.crysys.hu/publications/files/skywiper.pdf"}, {"source_name": "Symantec Beetlejuice", "description": "Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017.", "url": "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:38:46.014Z", "name": "Flame", "description": "[Flame](https://attack.mitre.org/software/S0143) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Flame", "Flamer", "sKyWIper"]}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0107", "external_id": "TA0107"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:21.065Z", "name": "Inhibit Response Function", "description": "The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.\n\nInhibit Response Function consists of techniques that adversaries use to hinder the safeguards put in place for processes and products. This may involve the inhibition of safety, protection, quality assurance, or operator intervention functions to disrupt safeguards that aim to prevent the loss of life, destruction of equipment, and disruption of production. These techniques aim to actively deter and prevent expected alarms and responses that arise due to statuses in the ICS environment. Adversaries may modify or update system logic, or even outright prevent responses with a denial-of-service. They may result in the prevention, destruction, manipulation, or modification of programs, logic, devices, and communications. As prevention functions are generally dormant, reporting and processing functions can appear fine, but may have been altered to prevent failure responses in dangerous scenarios. Unlike [Evasion](https://attack.mitre.org/tactics/TA0103), Inhibit Response Function techniques may be more intrusive, such as actively preventing responses to a known dangerous scenario. Adversaries may use these techniques to follow through with or provide cover for [Impact](https://attack.mitre.org/tactics/TA0105) techniques.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "inhibit-response-function"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046", "created": "2021-04-10T17:32:33.899Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0111", "external_id": "TA0111"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:21.215Z", "name": "Privilege Escalation", "description": "The adversary is trying to gain higher-level permissions.\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "privilege-escalation"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0109", "external_id": "TA0109"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:21.394Z", "name": "Lateral Movement", "description": "The adversary is trying to move through your ICS environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. These techniques abuse default credentials, known accounts, and vulnerable services, and may also leverage dual-homed devices and systems that reside on both the IT and OT networks. The adversary uses these techniques to pivot to their next point in the environment, positioning themselves to where they want to be or think they should be. Following through on their primary objective often requires [Discovery](https://attack.mitre.org/tactics/TA0102) of the network and [Collection](https://attack.mitre.org/tactics/TA0100) to develop awareness of unique ICS devices and processes, in order to find their target and subsequently gain access to it. Reaching this objective often involves pivoting through multiple systems, devices, and accounts. Adversaries may install their own remote tools to accomplish Lateral Movement or leverage default tools, programs, and manufacturer set or other legitimate credentials native to the network, which may be stealthier.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "lateral-movement"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0102", "external_id": "TA0102"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:21.555Z", "name": "Discovery", "description": "The adversary is locating information to assess and identify their targets in your environment.\n\nDiscovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "discovery"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0108", "external_id": "TA0108"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:21.756Z", "name": "Initial Access", "description": "The adversary is trying to get into your ICS environment.\n\nInitial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "initial-access"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279", "created": "2019-03-14T18:44:44.639Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0105", "external_id": "TA0105"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:21.936Z", "name": "Impact", "description": "The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.\n\nImpact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques, which often manifest in more self-revealing impacts on operations, or [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversary\u2019s goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.\n\n[Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828), [Theft of Operational Information](https://attack.mitre.org/techniques/T0882), and [Damage to Property](https://attack.mitre.org/techniques/T0879) are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "impact"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0110", "external_id": "TA0110"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:22.111Z", "name": "Persistence", "description": "The adversary is trying to maintain their foothold in your ICS environment.\n\nPersistence consists of techniques that adversaries use to maintain access to ICS systems and devices across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that allow them to secure their ongoing activity and keep their foothold on systems. This may include replacing or hijacking legitimate code, firmware, and other project files, or adding startup code and downloading programs onto devices.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "persistence"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0104", "external_id": "TA0104"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:22.274Z", "name": "Execution", "description": "The adversary is trying to run code or manipulate system functions, parameters, and data in an unauthorized way.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network [Discovery](https://attack.mitre.org/tactics/TA0102) and [Collection](https://attack.mitre.org/tactics/TA0100), impact operations, and inhibit response functions.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "execution"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0101", "external_id": "TA0101"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:22.441Z", "name": "Command and Control", "description": "The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment.\n\nCommand and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victim\u2019s network structure and defenses.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "command-and-control"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0100", "external_id": "TA0100"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:22.653Z", "name": "Collection", "description": "The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal.\n\nCollection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of [Discovery](https://attack.mitre.org/tactics/TA0102), to compile data on control systems and targets of interest that may be used to follow through on the adversary\u2019s objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other references may also be at risk and exposed on the internet or otherwise publicly accessible.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "collection"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0103", "external_id": "TA0103"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:22.834Z", "name": "Evasion", "description": "The adversary is trying to avoid security defenses.\n\nEvasion consists of techniques that adversaries use to avoid technical defenses throughout their campaign. Techniques used for evasion include removal of indicators of compromise, spoofing communications, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense evasion for this purpose are often more passive in nature.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "evasion"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0106", "external_id": "TA0106"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:23.006Z", "name": "Impair Process Control", "description": "The adversary is trying to manipulate, disable, or damage physical control processes.\n\nImpair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use [Inhibit Response Function](https://attack.mitre.org/tactics/TA0107) techniques in tandem, to assist with the successful abuse of control processes to result in [Impact](https://attack.mitre.org/tactics/TA0105).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "impair-process-control"}, {"type": "attack-pattern", "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0803", "external_id": "T0803"}, {"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"}, {"source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:01.218Z", "name": "Block Command Message", "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Process: Process Termination", "Operational Databases: Process History/Live Data", "Application Log: Application Log Content", "Network Traffic: Network Traffic Flow", "Operational Databases: Process/Event Alarm"]}, {"type": "attack-pattern", "id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0881", "external_id": "T0881"}, {"source_name": "Enterprise ATT&CK", "description": "Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ", "url": "https://attack.mitre.org/techniques/T1489/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:03.170Z", "name": "Service Stop", "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["File: File Modification", "Command: Command Execution", "Process: OS API Execution", "Process: Process Termination", "Service: Service Metadata", "Windows Registry: Windows Registry Key Modification", "Process: Process Creation"]}, {"type": "attack-pattern", "id": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0836", "external_id": "T0836"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:10.077Z", "name": "Modify Parameter", "description": "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. \n\nAn adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.3", "x_mitre_data_sources": ["Asset: Asset Inventory", "Application Log: Application Log Content", "Operational Databases: Device Alarm", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0821", "external_id": "T0821"}, {"source_name": "IEC February 2013", "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", "url": "https://webstore.iec.ch/publication/4552"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:10.230Z", "name": "Modify Controller Tasking", "description": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. \n\nAccording to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.\n\nTasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.2", "x_mitre_data_sources": ["Application Log: Application Log Content", "Operational Databases: Device Alarm", "Asset: Software"]}, {"type": "attack-pattern", "id": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0887", "external_id": "T0887"}, {"source_name": "Bastille April 2017", "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack"}, {"source_name": "Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018", "description": "Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. 2018, April Guide to Industrial Wireless Systems Deployments Retrieved. 2020/12/01 ", "url": "https://nvlpubs.nist.gov/nistpubs/ams/NIST.AMS.300-4.pdf"}, {"source_name": "Gallagher, S. April 2017", "description": "Gallagher, S. 2017, April 12 Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack Retrieved. 2020/12/01 ", "url": "https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:10.392Z", "name": "Wireless Sniffing", "description": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. \n\nAdversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) \n\nIn the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "discovery"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["ICSCoE Japan"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Network Traffic: Network Traffic Flow"]}, {"type": "attack-pattern", "id": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0829", "external_id": "T0829"}, {"source_name": "Corero", "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"}, {"source_name": "Michael J. Assante and Robert M. Lee", "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25", "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"}, {"source_name": "Tyson Macaulay", "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:08.228Z", "name": "Loss of View", "description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0"}, {"type": "attack-pattern", "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0800", "external_id": "T0800"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:10.552Z", "name": "Activate Firmware Update Mode", "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Joe Slowik - Dragos"], "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false, "x_mitre_data_sources": ["Network Traffic: Network Traffic Content", "Operational Databases: Device Alarm", "Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0831", "external_id": "T0831"}, {"source_name": "Bruce Schneier January 2008", "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html"}, {"source_name": "John Bill May 2017", "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/"}, {"source_name": "Shelley Smith February 2008", "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:10.752Z", "name": "Manipulation of Control", "description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle \n* Spoof command message \n* Changing setpoints \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0"}, {"type": "attack-pattern", "id": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0814", "external_id": "T0814"}, {"source_name": "Common Weakness Enumeration January 2019", "description": "Common Weakness Enumeration 2019, January 03 CWE-400: Uncontrolled Resource Consumption Retrieved. 2019/03/14 ", "url": "http://cwe.mitre.org/data/definitions/400.html"}, {"source_name": "ICS-CERT April 2017", "description": "ICS-CERT 2017, April 18 CS Alert (ICS-ALERT-17-102-01A) BrickerBot Permanent Denial-of-Service Attack Retrieved. 2019/10/24 ", "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A"}, {"source_name": "ICS-CERT August 2018", "description": "ICS-CERT 2018, August 27 Advisory (ICSA-15-202-01) - Siemens SIPROTEC Denial-of-Service Vulnerability Retrieved. 2019/03/14 ", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01"}, {"source_name": "MITRE March 2018", "description": "MITRE 2018, March 22 CVE-2015-5374 Retrieved. 2019/03/14 ", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5374"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:10.656Z", "name": "Denial of Service", "description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. \n\nSome ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) \n\nAdversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. \n\nAdversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) ", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow", "Application Log: Application Log Content", "Operational Databases: Process History/Live Data"]}, {"type": "attack-pattern", "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0805", "external_id": "T0805"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:10.923Z", "name": "Block Serial COM", "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Operational Databases: Process/Event Alarm", "Network Traffic: Network Traffic Flow", "Operational Databases: Process History/Live Data", "Application Log: Application Log Content", "Process: Process Termination"]}, {"type": "attack-pattern", "id": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "created": "2024-03-25T20:16:15.016Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0894", "external_id": "T0894"}, {"source_name": "GTFO split", "description": "GTFOBins. (2020, November 13). split. Retrieved April 18, 2022.", "url": "https://gtfobins.github.io/gtfobins/split/"}, {"source_name": "LOLBAS Project", "description": "Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.", "url": "https://github.com/LOLBAS-Project/LOLBAS#criteria"}, {"source_name": "split man page", "description": "Torbjorn Granlund, Richard M. Stallman. (2020, March null). split(1) \u2014 Linux manual page. Retrieved March 25, 2022.", "url": "https://man7.org/linux/man-pages/man1/split.1.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:11.559Z", "name": "System Binary Proxy Execution", "description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. (Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands. (Citation: split man page)(Citation: GTFO split)\n\nAdversaries may abuse application binaries installed on a system for proxy execution of malicious code or domain-specific commands. These commands could be used to target local resources on the device or networked devices within the environment through defined APIs ([Execution through API](https://attack.mitre.org/techniques/T0871)) or application-specific programming languages (e.g., MicroSCADA SCIL). Application binaries may be signed by the developer or generally trusted by the operators, analysts, and monitoring tools accustomed to the environment. These applications may be developed and/or directly provided by the device vendor to enable configuration, management, and operation of their devices without many alternatives. \n\nAdversaries may seek to target these trusted application binaries to execute or send commands without the development of custom malware. For example, adversaries may target a SCADA server binary which has the existing ability to send commands to substation devices, such as through IEC 104 command messages. Proxy execution may still require the development of custom tools to hook into the application binary\u2019s execution.\n\n", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Script: Script Execution", "Command: Command Execution", "Process: Process Creation"]}, {"type": "attack-pattern", "id": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0850", "external_id": "T0850"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:51.553Z", "name": "Role Identification", "description": "Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.\n\nFor example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary's decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows", "Human-Machine Interface", "Control Server", "Data Historian", "Field Controller/RTU/PLC/IED"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0807", "external_id": "T0807"}, {"source_name": "Enterprise ATT&CK January 2018", "description": "Enterprise ATT&CK 2018, January 11 Command-Line Interface Retrieved. 2018/05/17 ", "url": "https://attack.mitre.org/wiki/Technique/T1059"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:11.069Z", "name": "Command-Line Interface", "description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.\n\nCLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Command: Command Execution", "Application Log: Application Log Content", "Process: Process Creation"]}, {"type": "attack-pattern", "id": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0861", "external_id": "T0861"}, {"source_name": "Dennis L. Sloatman September 2016", "description": "Dennis L. Sloatman 2016, September 16 Understanding PLC Programming Methods and the Tag Database System Retrieved. 2017/12/19 ", "url": "https://www.radioworld.com/industry/understanding-plc-programming-methods-and-the-tag-database-system"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:11.231Z", "name": "Point & Tag Identification", "description": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience. \n\nCollecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Jos Wetzels - Midnight Blue"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Network Traffic: Network Traffic Content", "Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0816", "external_id": "T0816"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:11.395Z", "name": "Device Restart/Shutdown", "description": "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.\n\nUnexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states.\n\nA device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Network Traffic: Network Traffic Flow", "Application Log: Application Log Content", "Operational Databases: Device Alarm", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0863", "external_id": "T0863"}, {"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}, {"source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html"}, {"source_name": "CISA AA21-201A Pipeline Intrusion July 2021", "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:15.054Z", "name": "User Execution", "description": "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. \n\nAdversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Command: Command Execution", "Application Log: Application Log Content", "Network Traffic: Network Connection Creation", "File: File Access", "Process: Process Creation", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0860", "external_id": "T0860"}, {"source_name": "Alexander Bolshev March 2014", "description": "Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved November 17, 2024. ", "url": "https://www.slideshare.net/slideshow/17-bolshev-1-13/32178888"}, {"source_name": "Alexander Bolshev, Gleb Cherbov July 2014", "description": "Alexander Bolshev, Gleb Cherbov 2014, July 08 ICSCorsair: How I will PWN your ERP through 4-20 mA current loop Retrieved. 2020/01/05 ", "url": "https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf"}, {"source_name": "Bruce Schneier January 2008", "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html"}, {"source_name": "John Bill May 2017", "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/"}, {"source_name": "Shelley Smith February 2008", "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:15.610Z", "name": "Wireless Compromise", "description": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. \n\nA Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Scott Dougherty"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.2", "x_mitre_data_sources": ["Logon Session: Logon Session Creation", "Application Log: Application Log Content", "Network Traffic: Network Traffic Flow"]}, {"type": "attack-pattern", "id": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0858", "external_id": "T0858"}, {"source_name": "Machine Information Systems 2007", "description": "Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ", "url": "http://www.machine-information-systems.com/How_PLCs_Work.html"}, {"source_name": "N.A. October 2017", "description": "N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ", "url": "https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489"}, {"source_name": "Omron", "description": "Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ", "url": "https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified."}, {"source_name": "PLCgurus 2021", "description": "PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ", "url": "https://www.plcgurus.net/plc-basics/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:11.583Z", "name": "Change Operating Mode", "description": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "execution"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Network Traffic: Network Traffic Content", "Application Log: Application Log Content", "Operational Databases: Device Alarm"]}, {"type": "attack-pattern", "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0878", "external_id": "T0878"}, {"source_name": "Jos Wetzels, Marina Krotofil 2019", "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ", "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:11.789Z", "name": "Alarm Suppression", "description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.\n\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question: \n\n* An alarm raised by a protocol message \n* An alarm signaled with I/O \n* An alarm bit set in a flag (and read) \n\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Marina Krotofil", "Jos Wetzels - Midnight Blue"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.2", "x_mitre_data_sources": ["Network Traffic: Network Traffic Flow", "Operational Databases: Process History/Live Data", "Operational Databases: Device Alarm", "Operational Databases: Process/Event Alarm"]}, {"type": "attack-pattern", "id": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0868", "external_id": "T0868"}, {"source_name": "Machine Information Systems 2007", "description": "Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ", "url": "http://www.machine-information-systems.com/How_PLCs_Work.html"}, {"source_name": "N.A. October 2017", "description": "N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ", "url": "https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489"}, {"source_name": "Omron", "description": "Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ", "url": "https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified."}, {"source_name": "PLCgurus 2021", "description": "PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ", "url": "https://www.plcgurus.net/plc-basics/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:11.972Z", "name": "Detect Operating Mode", "description": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", "created": "2021-04-12T07:57:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0837", "external_id": "T0837"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:12.172Z", "name": "Loss of Protection", "description": "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. \n\nMany faults and abnormal conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0"}, {"type": "attack-pattern", "id": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0801", "external_id": "T0801"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:12.337Z", "name": "Monitor Process State", "description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false, "x_mitre_data_sources": ["Network Traffic: Network Traffic Content", "Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0853", "external_id": "T0853"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:12.511Z", "name": "Scripting", "description": "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. \n\nIn addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Command: Command Execution", "Process: Process Creation", "Process: Process Metadata", "Module: Module Load", "Script: Script Execution"]}, {"type": "attack-pattern", "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0888", "external_id": "T0888"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:12.694Z", "name": "Remote System Information Discovery", "description": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. \n\nRequests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system's API.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content", "File: File Access", "Process: Process Creation"]}, {"type": "attack-pattern", "id": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0845", "external_id": "T0845"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:12.867Z", "name": "Program Upload", "description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false, "x_mitre_data_sources": ["Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow", "Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0819", "external_id": "T0819"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:13.044Z", "name": "Exploit Public-Facing Application", "description": "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.\n\nAn adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Application Log: Application Log Content", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0811", "external_id": "T0811"}, {"source_name": "Cybersecurity & Infrastructure Security Agency March 2018", "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A"}, {"source_name": "CISA AA21-201A Pipeline Intrusion July 2021", "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:13.205Z", "name": "Data from Information Repositories", "description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)\n\nInformation collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.\n\nIn a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.2", "x_mitre_data_sources": ["Logon Session: Logon Session Creation", "Network Share: Network Share Access", "Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "created": "2021-10-14T15:25:32.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0864", "external_id": "T0864"}, {"source_name": "North American Electric Reliability Corporation June 2021", "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:21.226Z", "name": "Transient Cyber Asset", "description": "Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. \n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices. \n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems. ", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.2", "x_mitre_data_sources": ["Network Traffic: Network Traffic Flow", "Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0835", "external_id": "T0835"}, {"source_name": "Dr. Kelvin T. Erickson December 2010", "description": "Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved November 17, 2024.", "url": "https://www.scribd.com/document/458637574/Programmable-Logic-Controllers"}, {"source_name": "Nanjundaiah, Vaidyanath", "description": "Nanjundaiah, Vaidyanath Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 PLC Ladder Logic Basics Retrieved. 2021/10/11 ", "url": "https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:22.225Z", "name": "Manipulate I/O Image", "description": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. \n\nOne of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Asset: Software"]}, {"type": "attack-pattern", "id": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0842", "external_id": "T0842"}, {"source_name": "Enterprise ATT&CK January 2018", "description": "Enterprise ATT&CK 2018, January 11 Network Sniffing Retrieved. 2018/05/17 ", "url": "https://attack.mitre.org/wiki/Technique/T1040"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:13.380Z", "name": "Network Sniffing", "description": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information. \n\nAn adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. \n\nIn addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Process: Process Creation", "Command: Command Execution"]}, {"type": "attack-pattern", "id": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0851", "external_id": "T0851"}, {"source_name": "Enterprise ATT&CK January 2018", "description": "Enterprise ATT&CK 2018, January 11 Rootkit Retrieved. 2018/05/16 ", "url": "https://attack.mitre.org/wiki/Technique/T1014"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:13.542Z", "name": "Rootkit", "description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) \n\nFirmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for the I/O that is attached to an asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "evasion"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Firmware: Firmware Modification"]}, {"type": "attack-pattern", "id": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0802", "external_id": "T0802"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:24.843Z", "name": "Automated Collection", "description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Script: Script Execution", "Command: Command Execution", "File: File Access", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0804", "external_id": "T0804"}, {"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"}, {"source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:13.771Z", "name": "Block Reporting Message", "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Operational Databases: Process/Event Alarm", "Process: Process Termination", "Application Log: Application Log Content", "Network Traffic: Network Traffic Flow", "Operational Databases: Process History/Live Data"]}, {"type": "attack-pattern", "id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0855", "external_id": "T0855"}, {"source_name": "Benjamin Freed March 2019", "description": "Benjamin Freed 2019, March 13 Tornado sirens in Dallas suburbs deactivated after being hacked and set off Retrieved. 2020/11/06 ", "url": "https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/"}, {"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"}, {"source_name": "Zack Whittaker April 2017", "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:13.939Z", "name": "Unauthorized Command Message", "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.2", "x_mitre_data_sources": ["Operational Databases: Process History/Live Data", "Application Log: Application Log Content", "Network Traffic: Network Traffic Flow", "Operational Databases: Process/Event Alarm", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0809", "external_id": "T0809"}, {"source_name": "Enterprise ATT&CK January 2018", "description": "Enterprise ATT&CK 2018, January 11 File Deletion Retrieved. 2018/05/17 ", "url": "https://attack.mitre.org/wiki/Technique/T1107"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:14.108Z", "name": "Data Destruction", "description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Matan Dobrushin - Otorio"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["File: File Modification", "Process: Process Creation", "File: File Deletion", "Command: Command Execution"]}, {"type": "attack-pattern", "id": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0832", "external_id": "T0832"}, {"source_name": "Corero", "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"}, {"source_name": "Michael J. Assante and Robert M. Lee", "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25", "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"}, {"source_name": "Tyson Macaulay", "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:29.210Z", "name": "Manipulation of View", "description": "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nOperators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0"}, {"type": "attack-pattern", "id": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0810", "external_id": "T0810"}, {"source_name": "Industroyer - Dragos - 201810", "description": "Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:51.727Z", "name": "Data Historian Compromise", "description": "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. \n\nDragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution. (Citation: Industroyer - Dragos - 201810) The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be \"expected to have extensive connections\" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.\n\nPermissions Required: Administrator\n\nContributors: Joe Slowik - Dragos", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Joe Slowik - Dragos"], "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0841", "external_id": "T0841"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:51.904Z", "name": "Network Service Scanning", "description": "Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml specific port numbers], the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is [https://nmap.org/ Nmap].\n\nAn adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to .\n\nScanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows", "Field Controller/RTU/PLC/IED"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0872", "external_id": "T0872"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:14.295Z", "name": "Indicator Removal on Host", "description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false, "x_mitre_data_sources": ["Command: Command Execution", "Process: OS API Execution", "Windows Registry: Windows Registry Key Modification", "File: File Metadata", "Windows Registry: Windows Registry Key Deletion", "File: File Deletion", "File: File Modification", "Process: Process Creation"]}, {"type": "attack-pattern", "id": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0877", "external_id": "T0877"}, {"source_name": "Nanjundaiah, Vaidyanath", "description": "Nanjundaiah, Vaidyanath PLC Ladder Logic Basics Retrieved. 2021/10/11 ", "url": "https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm"}, {"source_name": "Spenneberg, Ralf 2016", "description": "Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:14.462Z", "name": "I/O Image", "description": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.\n\nThe Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) \n\nAdversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Asset: Software"]}, {"type": "attack-pattern", "id": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0815", "external_id": "T0815"}, {"source_name": "Corero", "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"}, {"source_name": "Michael J. Assante and Robert M. Lee", "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25", "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"}, {"source_name": "Tyson Macaulay", "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:33.142Z", "name": "Denial of View", "description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAn adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. ", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1"}, {"type": "attack-pattern", "id": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0871", "external_id": "T0871"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:14.643Z", "name": "Execution through API", "description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Process: OS API Execution"]}, {"type": "attack-pattern", "id": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0862", "external_id": "T0862"}, {"source_name": "Control Global May 2019", "description": "Control Global 2019, May 29 Yokogawa announcement warns of counterfeit transmitters Retrieved. 2021/04/09 ", "url": "https://www.controlglobal.com/industrynews/2019/yokogawa-announcement-warns-of-counterfeit-transmitters/"}, {"source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:14.822Z", "name": "Supply Chain Compromise", "description": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. \n\nSupply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. \n\nCounterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. (Citation: Control Global May 2019) \n\nYokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. (Citation: Control Global May 2019) \n\nF-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["File: File Metadata"]}, {"type": "attack-pattern", "id": "attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0854", "external_id": "T0854"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:52.087Z", "name": "Serial Connection Enumeration", "description": "Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.\n\nWhile IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows", "Input/Output Server", "Field Controller/RTU/PLC/IED"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0880", "external_id": "T0880"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:14.990Z", "name": "Loss of Safety", "description": "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. \n\nMany unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0"}, {"type": "attack-pattern", "id": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0828", "external_id": "T0828"}, {"source_name": "Colonial Pipeline Company May 2021", "description": "Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08 ", "url": "https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption"}, {"source_name": "Lion Corporation June 2020", "description": "Lion Corporation 2020, June 26 Lion Cyber incident update: 26 June 2020 Retrieved. 2021/10/08 ", "url": "https://lionco.com/2020/06/26/lion-update-re-cyber-issue/"}, {"source_name": "Paganini, Pierluigi June 2020", "description": "Paganini, Pierluigi 2020, June 14 Ransomware attack disrupts operations at Australian beverage company Lion Retrieved. 2021/10/08 ", "url": "https://securityaffairs.co/wordpress/104749/cyber-crime/ransomware-attack-hit-lion.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:15.157Z", "name": "Loss of Productivity and Revenue", "description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. \n\nIn cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences. \n\nA ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. (Citation: Paganini, Pierluigi June 2020) The company announced the potential for temporary shortages of their products following the attack. (Citation: Paganini, Pierluigi June 2020) (Citation: Lion Corporation June 2020) \n\nIn the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. (Citation: Colonial Pipeline Company May 2021)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0"}, {"type": "attack-pattern", "id": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0865", "external_id": "T0865"}, {"source_name": "CISA AA21-201A Pipeline Intrusion July 2021", "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"}, {"source_name": "Enterprise ATT&CK October 2019", "description": "Enterprise ATT&CK 2019, October 25 Spearphishing Attachment Retrieved. 2019/10/25 ", "url": "https://attack.mitre.org/techniques/T1193/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:15.346Z", "name": "Spearphishing Attachment", "description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Process: Process Creation", "File: File Creation", "Network Traffic: Network Traffic Content", "Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0825", "external_id": "T0825"}, {"source_name": "Guidance - NIST SP800-82", "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:52.279Z", "name": "Location Identification", "description": "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries (Citation: Guidance - NIST SP800-82). While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. \n\nAn adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows", "Control Server"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "created": "2024-03-26T15:39:19.473Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0895", "external_id": "T0895"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:42.824Z", "name": "Autorun Image", "description": "Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor. \n\nAn example could include an adversary gaining access to a hypervisor through the management interface to modify a virtual machine\u2019s hardware configuration. They could then deploy an iso image with a malicious AutoRun script to cause the virtual machine to automatically execute the code contained on the disk image. This would enable the execution of malicious code within a virtual machine without needing any prior remote access to that system.\n", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_data_sources": ["Drive: Drive Creation", "Process: Process Creation"]}, {"type": "attack-pattern", "id": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0817", "external_id": "T0817"}, {"source_name": "Cybersecurity & Infrastructure Security Agency March 2018", "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:15.525Z", "name": "Drive-by Compromise", "description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. \n\nThe adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. \n\nThe National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Network Traffic: Network Traffic Content", "Application Log: Application Log Content", "Process: Process Creation", "File: File Creation", "Network Traffic: Network Connection Creation"]}, {"type": "attack-pattern", "id": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0879", "external_id": "T0879"}, {"source_name": "Bruce Schneier January 2008", "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html"}, {"source_name": "BSI State of IT Security 2014", "description": "Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ", "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3"}, {"source_name": "John Bill May 2017", "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/"}, {"source_name": "Shelley Smith February 2008", "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:15.731Z", "name": "Damage to Property", "description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). \n\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1"}, {"type": "attack-pattern", "id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0856", "external_id": "T0856"}, {"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:15.909Z", "name": "Spoof Reporting Message", "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "evasion"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.2", "x_mitre_data_sources": ["Network Traffic: Network Traffic Flow", "Operational Databases: Device Alarm", "Windows Registry: Windows Registry Key Modification", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0866", "external_id": "T0866"}, {"source_name": "Enterprise ATT&CK", "description": "Enterprise ATT&CK Exploitation of Remote Services Retrieved. 2019/10/27 ", "url": "https://attack.mitre.org/techniques/T1210/"}, {"source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:16.054Z", "name": "Exploitation of Remote Services", "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)\n\nICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Application Log: Application Log Content", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0812", "external_id": "T0812"}, {"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:16.206Z", "name": "Default Credentials", "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Network Traffic: Network Traffic Content", "Logon Session: Logon Session Creation"]}, {"type": "attack-pattern", "id": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0822", "external_id": "T0822"}, {"source_name": "Daniel Oakley, Travis Smith, Tripwire", "description": "Daniel Oakley, Travis Smith, Tripwire Retrieved. 2018/05/30 ", "url": "https://attack.mitre.org/wiki/Technique/T1133"}, {"source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:16.385Z", "name": "External Remote Services", "description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)\n\nExternal remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. \n\nAs they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Network Traffic: Network Traffic Flow", "Logon Session: Logon Session Metadata", "Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0806", "external_id": "T0806"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:16.573Z", "name": "Brute Force I/O", "description": "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. \n\nAdversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Operational Databases: Process History/Live Data", "Application Log: Application Log Content", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0870", "external_id": "T0870"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:52.452Z", "name": "Detect Program State", "description": "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows", "Field Controller/RTU/PLC/IED"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0830", "external_id": "T0830"}, {"source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"}, {"source_name": "Gabriel Sanchez October 2017", "description": "Gabriel Sanchez 2017, October Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark Retrieved. 2020/01/05 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:16.777Z", "name": "Adversary-in-the-Middle", "description": "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAn AiTM attack may allow an adversary to perform the following attacks: \n[Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Conrad Layne - GE Digital"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "2.0", "x_mitre_data_sources": ["Windows Registry: Windows Registry Key Modification", "Process: Process Creation", "Network Traffic: Network Traffic Flow", "Service: Service Creation", "Network Traffic: Network Traffic Content", "Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0820", "external_id": "T0820"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:16.960Z", "name": "Exploitation for Evasion", "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. \n\nAdversaries may have prior knowledge through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888) about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious [System Firmware](https://attack.mitre.org/techniques/T0857).", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0827", "external_id": "T0827"}, {"source_name": "BSI State of IT Security 2014", "description": "Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ", "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3"}, {"source_name": "Corero", "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"}, {"source_name": "Michael J. Assante and Robert M. Lee", "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25", "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"}, {"source_name": "Tyson Macaulay", "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:56.356Z", "name": "Loss of Control", "description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.(Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Dragos Threat Intelligence"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0"}, {"type": "attack-pattern", "id": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0875", "external_id": "T0875"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:52.634Z", "name": "Change Program State", "description": "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "execution"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Field Controller/RTU/PLC/IED"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0874", "external_id": "T0874"}, {"source_name": "Enterprise ATT&CK", "description": "Enterprise ATT&CK Hooking Retrieved. 2019/10/27 ", "url": "https://attack.mitre.org/techniques/T1179/"}, {"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:58:56.978Z", "name": "Hooking", "description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)\n\nOne type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "execution"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "privilege-escalation"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.2", "x_mitre_data_sources": ["Process: OS API Execution", "Process: Process Metadata"]}, {"type": "attack-pattern", "id": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0808", "external_id": "T0808"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:52.814Z", "name": "Control Device Identification", "description": "Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows", "Field Controller/RTU/PLC/IED"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0844", "external_id": "T0844"}, {"source_name": "Guidance - IEC61131", "description": "John Karl-Heinz. (n.d.). Programming Industrial Automation Systems. Retrieved October 22, 2019.", "url": "http://www.dee.ufrj.br/controle%20automatico/cursos/IEC61131-3%20Programming%20Industrial%20Automation%20Systems.pdf"}, {"source_name": "PLCBlaster - Spenneberg", "description": "Spenneberg, Ralf, Maik Br\u00fcggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}, {"source_name": "Stuxnet - Symantec - 201102", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", "url": "https://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/w32%20stuxnet%20dossier.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:53.005Z", "name": "Program Organization Units", "description": "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)\n \nStuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected (Citation: Stuxnet - Symantec - 201102):\n*Increase the size of the original block.\n*Write malicious code to the beginning of the block.\n*Insert the original OB1 code after the malicious code.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows", "Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0823", "external_id": "T0823"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:17.144Z", "name": "Graphical User Interface", "description": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.\n\nIf physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Process: Process Creation", "Command: Command Execution", "Module: Module Load", "Logon Session: Logon Session Creation"]}, {"type": "attack-pattern", "id": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0848", "external_id": "T0848"}, {"source_name": "Bastille April 2017", "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack"}, {"source_name": "Zack Whittaker April 2017", "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:17.326Z", "name": "Rogue Master", "description": "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. \n\nIn the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.2", "x_mitre_data_sources": ["Asset: Asset Inventory", "Network Traffic: Network Traffic Flow", "Operational Databases: Device Alarm", "Network Traffic: Network Traffic Content", "Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "created": "2021-04-13T12:36:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0834", "external_id": "T0834"}, {"source_name": "The MITRE Corporation May 2017", "description": "The MITRE Corporation 2017, May 31 ATT&CK T1106: Native API Retrieved. 2021/04/26 ", "url": "https://attack.mitre.org/techniques/T1106/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:17.499Z", "name": "Native API", "description": "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. \n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Process: OS API Execution"]}, {"type": "attack-pattern", "id": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0826", "external_id": "T0826"}, {"source_name": "Colonial Pipeline Company May 2021", "description": "Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08 ", "url": "https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption"}, {"source_name": "Corero", "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"}, {"source_name": "Michael J. Assante and Robert M. Lee", "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25", "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"}, {"source_name": "Tyson Macaulay", "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:59:00.088Z", "name": "Loss of Availability", "description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAdversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.\n\nIn the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. (Citation: Colonial Pipeline Company May 2021)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0"}, {"type": "attack-pattern", "id": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0882", "external_id": "T0882"}, {"source_name": "Mark Thompson March 2016", "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/"}, {"source_name": "Danny Yadron December 2015", "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:17.698Z", "name": "Theft of Operational Information", "description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0857", "external_id": "T0857"}, {"source_name": "Basnight, Zachry, et al.", "description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ", "url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:17.862Z", "name": "System Firmware", "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "persistence"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Operational Databases: Device Alarm", "Application Log: Application Log Content", "Firmware: Firmware Modification", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0849", "external_id": "T0849"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:18.036Z", "name": "Masquerading", "description": "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. \n\nApplications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Service: Service Creation", "File: File Modification", "Process: Process Metadata", "Command: Command Execution", "Scheduled Job: Scheduled Job Modification", "Service: Service Modification", "File: File Metadata", "Scheduled Job: Scheduled Job Creation"]}, {"type": "attack-pattern", "id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0843", "external_id": "T0843"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:18.212Z", "name": "Program Download", "description": "Adversaries may perform a program download to transfer a user program to a controller. \n\nVariations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download.\n\nThe granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space. \n\n[Modify Controller Tasking](https://attack.mitre.org/techniques/T0821) and [Modify Program](https://attack.mitre.org/techniques/T0889) represent the configuration changes that are transferred to a controller via a program download.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Operational Databases: Device Alarm", "Network Traffic: Network Traffic Content", "Asset: Asset Inventory", "Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0847", "external_id": "T0847"}, {"source_name": "BBC April 2016", "description": "BBC 2016, April 28 German nuclear plant hit by computer viruses Retrieved. 2019/10/14 ", "url": "https://www.bbc.com/news/technology-36158606"}, {"source_name": "Catalin Cimpanu April 2016", "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"}, {"source_name": "Christoph Steitz, Eric Auchard April 2016", "description": "Christoph Steitz, Eric Auchard 2016, April 26 German nuclear plant infected with computer viruses, operator says Retrieved. 2019/10/14 ", "url": "https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS"}, {"source_name": "Dark Reading Staff April 2016", "description": "Dark Reading Staff 2016, April 28 German Nuclear Power Plant Infected With Malware Retrieved. 2019/10/14 ", "url": "https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298"}, {"source_name": "ESET April 2016", "description": "ESET 2016, April 28 Malware found at a German nuclear power plant Retrieved. 2019/10/14 ", "url": "https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/"}, {"source_name": "Kernkraftwerk Gundremmingen April 2016", "description": "Kernkraftwerk Gundremmingen 2016, April 25 Detektion von Bro-Schadsoftware an mehreren Rechnern Retrieved. 2019/10/14 ", "url": "https://www.kkw-gundremmingen.de/presse.php?id=571"}, {"source_name": "Lee Mathews April 2016", "description": "Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses. Retrieved November 17, 2024. ", "url": "https://web.archive.org/web/20160430041256/https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/"}, {"source_name": "Peter Dockrill April 2016", "description": "Peter Dockrill 2016, April 28 Multiple Computer Viruses Have Been Discovered in This German Nuclear Plant Retrieved. 2019/10/14 ", "url": "https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant"}, {"source_name": "Sean Gallagher April 2016", "description": "Sean Gallagher 2016, April 27 German nuclear plants fuel rod system swarming with old malware Retrieved. 2019/10/14 ", "url": "https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/"}, {"source_name": "Trend Micro April 2016", "description": "Trend Micro 2016, April 27 Malware Discovered in German Nuclear Power Plant Retrieved. 2019/10/14 ", "url": "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:59:04.946Z", "name": "Replication Through Removable Media", "description": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. \n\nOperators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. (Citation: Kernkraftwerk Gundremmingen April 2016) (Citation: Trend Micro April 2016) The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. (Citation: Christoph Steitz, Eric Auchard April 2016) (Citation: Catalin Cimpanu April 2016) (Citation: Peter Dockrill April 2016) (Citation: Lee Mathews April 2016) (Citation: Sean Gallagher April 2016) (Citation: Dark Reading Staff April 2016) The plant has since checked for infection and cleaned up more than 1,000 computers. (Citation: BBC April 2016) An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. (Citation: ESET April 2016)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Process: Process Creation", "File: File Creation", "Drive: Drive Creation", "File: File Access"]}, {"type": "attack-pattern", "id": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0852", "external_id": "T0852"}, {"source_name": "ICS-CERT October 2017", "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:18.404Z", "name": "Screen Capture", "description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false, "x_mitre_data_sources": ["Command: Command Execution", "Process: OS API Execution"]}, {"type": "attack-pattern", "id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", "created": "2022-09-29T13:35:38.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0891", "external_id": "T0891"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:18.583Z", "name": "Hardcoded Credentials", "description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset. \n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets. \n", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Aagam Shah, @neutrinoguy, ABB"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Network Traffic: Network Traffic Content", "Logon Session: Logon Session Creation"]}, {"type": "attack-pattern", "id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0859", "external_id": "T0859"}, {"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:59:08.866Z", "name": "Valid Accounts", "description": "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. \n\nAdversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "persistence"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["User Account: User Account Authentication", "Logon Session: Logon Session Creation", "Logon Session: Logon Session Metadata"]}, {"type": "attack-pattern", "id": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0890", "external_id": "T0890"}, {"source_name": "The MITRE Corporation", "description": "The MITRE Corporation The MITRE Corporation ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ", "url": "https://attack.mitre.org/techniques/T1068/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:18.792Z", "name": "Exploitation for Privilege Escalation", "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation) \n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. (Citation: The MITRE Corporation)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "privilege-escalation"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Application Log: Application Log Content"]}, {"type": "attack-pattern", "id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0846", "external_id": "T0846"}, {"source_name": "Enterprise ATT&CK January 2018", "description": "Enterprise ATT&CK 2018, January 11 Remote System Discovery Retrieved. 2018/05/17 ", "url": "https://attack.mitre.org/wiki/Technique/T1018"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:18.958Z", "name": "Remote System Discovery", "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["File: File Access", "Process: Process Creation", "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow"]}, {"type": "attack-pattern", "id": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0818", "external_id": "T0818"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:53.188Z", "name": "Engineering Workstation Compromise", "description": "Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Joe Slowik - Dragos"], "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Engineering Workstation"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0884", "external_id": "T0884"}, {"source_name": "Enterprise ATT&CK January 2018", "description": "Enterprise ATT&CK 2018, January 11 Connection Proxy Retrieved. 2018/05/17 ", "url": "https://attack.mitre.org/wiki/Technique/T1090"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:19.127Z", "name": "Connection Proxy", "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.\n\nThe definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.\n\nThe network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. (Citation: Enterprise ATT&CK January 2018)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow"]}, {"type": "attack-pattern", "id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0869", "external_id": "T0869"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:19.328Z", "name": "Standard Application Layer Protocol", "description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false, "x_mitre_data_sources": ["Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0833", "external_id": "T0833"}, {"source_name": "Stuxnet - Langner - 201311", "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"}, {"source_name": "Maroochy - MITRE - 200808", "description": "Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study\u2013 Maroochy Water Services, Australia. Retrieved March 27, 2018.", "url": "https://www.mitre.org/sites/default/files/pdf/08%201145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:53.367Z", "name": "Modify Control Logic", "description": "Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. \n\nProgram code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active.\n\nAn adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools.\n\nAn adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. \n\nIt is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the \u201creal\u201d pressure is for given analog signals and then automatically linearize the measurement to what would be the \u201creal\u201d pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be \u201ccorrected\u201d during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. (Citation: Stuxnet - Langner - 201311)\n\nIn the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. (Citation: Maroochy - MITRE - 200808)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Safety Instrumented System/Protection Relay", "Field Controller/RTU/PLC/IED"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "created": "2021-04-12T19:26:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0886", "external_id": "T0886"}, {"source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}, {"source_name": "CISA AA21-201A Pipeline Intrusion July 2021", "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"}, {"source_name": "Dragos December 2017", "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf"}, {"source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:19.525Z", "name": "Remote Services", "description": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) \n\nRemote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859).\n\nSpecific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software.\n\nBased on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Daisuke Suzuki"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Network Traffic: Network Traffic Flow", "Module: Module Load", "Logon Session: Logon Session Creation", "Process: Process Creation", "Command: Command Execution", "Network Traffic: Network Connection Creation", "Network Share: Network Share Access"]}, {"type": "attack-pattern", "id": "attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-ics-attack", "url": "https://attack.mitre.org/techniques/T0824", "external_id": "T0824"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:53.554Z", "name": "I/O Module Discovery", "description": "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_domains": ["ics-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows", "Field Controller/RTU/PLC/IED"], "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0813", "external_id": "T0813"}, {"source_name": "Corero", "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"}, {"source_name": "Mark Loveless April 2017", "description": "Mark Loveless 2017, April 11 THE DALLAS COUNTY SIREN HACK Retrieved. 2020/11/06 ", "url": "https://duo.com/decipher/the-dallas-county-siren-hack"}, {"source_name": "Michael J. Assante and Robert M. Lee", "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25", "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"}, {"source_name": "Tyson Macaulay", "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:59:15.775Z", "name": "Denial of Control", "description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nIn the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1"}, {"type": "attack-pattern", "id": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0838", "external_id": "T0838"}, {"source_name": "Jos Wetzels, Marina Krotofil 2019", "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ", "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:19.764Z", "name": "Modify Alarm Settings", "description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. \n\nIf an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. \n\nIn ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. ", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.2", "x_mitre_data_sources": ["Application Log: Application Log Content", "Asset: Asset Inventory", "Operational Databases: Process History/Live Data", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0885", "external_id": "T0885"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:19.961Z", "name": "Commonly Used Port", "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. \n \n * TCP:80 (HTTP) \n * TCP:443 (HTTPS) \n * TCP/UDP:53 (DNS) \n * TCP:1024-4999 (OPC on XP/Win2k3) \n * TCP:49152-65535 (OPC on Vista and later) \n * TCP:23 (TELNET) \n * UDP:161 (SNMP) \n * TCP:502 (MODBUS) \n * TCP:102 (S7comm/ISO-TSAP) \n * TCP:20000 (DNP3) \n * TCP:44818 (Ethernet/IP)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Matan Dobrushin - Otorio"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0873", "external_id": "T0873"}, {"source_name": "Beckhoff", "description": "Beckhoff TwinCAT 3 Source Control: Project Files Retrieved. 2019/11/21 ", "url": "https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id="}, {"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}, {"source_name": "PLCdev", "description": "PLCdev Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 Siemens SIMATIC Step 7 Programmer's Handbook Retrieved. 2019/11/21 ", "url": "http://www.plcdev.com/book/export/html/373"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:59:17.481Z", "name": "Project File Infection", "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["File: File Modification"]}, {"type": "attack-pattern", "id": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0840", "external_id": "T0840"}, {"source_name": "MITRE", "description": "MITRE System Network Connections Discovery Retrieved. 2018/05/31 ", "url": "https://attack.mitre.org/wiki/Technique/T1049"}, {"source_name": "Netstat", "description": "Wikipedia. (n.d.). Netstat. Retrieved May 23, 2022.", "url": "https://en.wikipedia.org/wiki/Netstat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:59:18.381Z", "name": "Network Connection Enumeration", "description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.2", "x_mitre_data_sources": ["Command: Command Execution", "Process: Process Creation", "Script: Script Execution", "Process: OS API Execution"]}, {"type": "attack-pattern", "id": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0867", "external_id": "T0867"}, {"source_name": "Enterprise ATT&CK", "description": "Enterprise ATT&CK Enterprise ATT&CK Lateral Tool Transfer Retrieved. 2019/10/27 Lateral Tool Transfer Retrieved. 2019/10/27 ", "url": "https://attack.mitre.org/techniques/T1570/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:20.126Z", "name": "Lateral Tool Transfer", "description": "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)\n\nIn control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "lateral-movement"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Network Share: Network Share Access", "File: File Metadata", "File: File Creation", "Network Traffic: Network Traffic Content", "Command: Command Execution", "Process: Process Creation", "Network Traffic: Network Traffic Flow"]}, {"type": "attack-pattern", "id": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0839", "external_id": "T0839"}, {"source_name": "Daniel Peck, Dale Peterson January 2009", "description": "Daniel Peck, Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19 ", "url": "https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:20.310Z", "name": "Module Firmware", "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "persistence"}, {"kill_chain_name": "mitre-ics-attack", "phase_name": "impair-process-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.1", "x_mitre_data_sources": ["Operational Databases: Device Alarm", "Application Log: Application Log Content", "Network Traffic: Network Traffic Content", "Firmware: Firmware Modification"]}, {"type": "attack-pattern", "id": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0883", "external_id": "T0883"}, {"source_name": "Danny Yadron December 2015", "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559"}, {"source_name": "Mark Thompson March 2016", "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/"}, {"source_name": "NCCIC January 2014", "description": "NCCIC 2014, January 1 Internet Accessible Control Systems At Risk Retrieved. 2019/11/07 ", "url": "https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf"}, {"source_name": "Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler", "description": "Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats Retrieved. 2021/04/12 ", "url": "https://documents.trendmicro.com/assets/white_papers/wp-caught-in-the-act-running-a-realistic-factory-honeypot-to-capture-real-threats.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:20.494Z", "name": "Internet Accessible Device", "description": "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique.\n\nAdversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. (Citation: NCCIC January 2014) These services may be discoverable through the use of online scanning tools. \n\nIn the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. (Citation: NCCIC January 2014) (Citation: Danny Yadron December 2015) (Citation: Mark Thompson March 2016)\n\nIn Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. (Citation: Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler)", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Logon Session: Logon Session Metadata", "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "created": "2023-03-30T18:56:02.424Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0893", "external_id": "T0893"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:59:23.577Z", "name": "Data from Local System", "description": "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.\n\nAdversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system. ", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["File: File Access", "Process: Process Creation", "Script: Script Execution", "Process: OS API Execution", "Command: Command Execution"]}, {"type": "attack-pattern", "id": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "created": "2023-03-30T14:04:17.023Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0892", "external_id": "T0892"}, {"source_name": "German BAS Lockout Dec 2021", "description": "Kelly Jackson Higgins. (2021, December 20). Lights Out: Cyberattacks Shut Down Building Automation Systems. Retrieved March 30, 2023.", "url": "https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:20.690Z", "name": "Change Credential", "description": "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.\n\nAn adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device\u2019s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. \n\nAdditionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.\n\n\nA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021) \n", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "inhibit-response-function"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Felix Eberstaller"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.0", "x_mitre_data_sources": ["Operational Databases: Device Alarm", "Network Traffic: Network Traffic Content"]}, {"type": "attack-pattern", "id": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0889", "external_id": "T0889"}, {"source_name": "IEC February 2013", "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", "url": "https://webstore.iec.ch/publication/4552"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T19:59:24.213Z", "name": "Modify Program", "description": "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. \n\nProgram modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) (Citation: IEC February 2013) and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another. \n\nSome programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.", "kill_chain_phases": [{"kill_chain_name": "mitre-ics-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["ics-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["None"], "x_mitre_version": "1.2", "x_mitre_data_sources": ["Network Traffic: Network Traffic Content", "Operational Databases: Device Alarm", "Asset: Software", "Application Log: Application Log Content"]}, {"modified": "2023-10-04T17:46:20.340Z", "name": "Application Server", "description": "Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers. The application server typically runs on a modern server operating system (e.g., MS Windows Server).", "x_mitre_sectors": ["General"], "x_mitre_platforms": ["Windows", "Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "created": "2023-09-28T14:58:00.982Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0008", "external_id": "A0008"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:09:35.474Z", "name": "Application Log Content", "description": "Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: \n\n- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).\n- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).\n- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.\n- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.\n- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.\n\nThis data component can be collected through the following measures:\n\nConfigure Application Logging\n\n- Enable logging within the application or service.\n- Examples:\n - Web Servers: Enable access and error logs in NGINX or Apache.\n - Email Systems: Enable audit logging in Microsoft Exchange or Gmail.\n\nCentralized Log Management\n\n- Use log management solutions like Splunk, or a cloud-native logging solution.\n- Configure the application to send logs to a centralized system for analysis.\n\nCloud-Specific Collection\n\n- Use services like AWS CloudWatch, Azure Monitor, or Google Cloud Operations Suite for cloud-based applications.\n- Ensure logging is enabled for all critical resources (e.g., API calls, IAM changes).\n\nSIEM Integration\n\n- Integrate application logs with a SIEM platform (e.g., Splunk, QRadar) for real-time correlation and analysis.\n- Use parsers to standardize log formats and extract key fields like timestamps, user IDs, and error codes.", "x_mitre_data_source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-12-18T18:59:44.199Z", "name": "2015 Ukraine Electric Power Attack", "description": "[2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.", "aliases": ["2015 Ukraine Electric Power Attack"], "first_seen": "2015-12-01T05:00:00.000Z", "last_seen": "2016-01-01T05:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: Booz Allen Hamilton)", "x_mitre_last_seen_citation": "(Citation: Booz Allen Hamilton)", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", "id": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "created": "2023-09-27T13:11:52.340Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0028", "external_id": "C0028"}, {"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack", "enterprise-attack"]}, {"modified": "2023-09-28T14:23:52.358Z", "name": "Workstation", "description": "Workstations are devices used by human operators or engineers to perform various configuration, programming, maintenance, diagnostic, or operational tasks. Workstations typically utilize standard desktop or laptop hardware and operating systems (e.g., MS Windows), but run dedicated control system applications or diagnostic/management software to support interfacing with the control servers or field devices. Some workstations have a fixed location within the network architecture, while others are transient devices that are directly connected to various field devices to support local management activities.", "x_mitre_sectors": ["General"], "x_mitre_related_assets": [{"name": "Transient Cyber Asset (TCA)", "related_asset_sectors": ["Electric"], "description": "A Transient Cyber Asset (TCA)(Citation: North American Electric Reliability Corporation June 2021) is a mobile workstation that is used to support management functions across multiple different networks, rather than being dedicated to any specific device/network. The TCA is often used to directly manage ICS environments that do not have any dedicated support for external remote access. Therefore, the TCA provides a mechanism for connectivity and file transfer to many networks/devices, even if they are segmented or \u201cair gapped\u201d from other networks. "}, {"name": "Engineering Workstation (EWS)", "related_asset_sectors": ["General"], "description": "An Engineering Workstation (EWS) is used to perform various maintenance, configuration, or diagnostics functions for a control system. The EWS will likely require dedicated application software to interface with various devices (e.g., RTUs, PLCs), and may be used to transfer data or files between the control system devices and other networks. "}], "x_mitre_platforms": ["Windows"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "created": "2023-09-28T14:22:49.837Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0001", "external_id": "A0001"}, {"source_name": "North American Electric Reliability Corporation June 2021", "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-04T18:01:02.506Z", "name": "Intelligent Electronic Device (IED)", "description": "An Intelligent Electronic Device (IED) is a type of specialized field device that is designed to perform specific operational functions, frequently for protection, monitoring, or control within the electric sector. IEDs are typically used to both acquire telemetry and execute tailored control algorithms/actions based on customizable parameters/settings. An IED is usually implemented as a dedicated embedded device and supports various network automation protocols to communicate with RTUs and Control Servers.", "x_mitre_sectors": ["Electric"], "x_mitre_related_assets": [{"name": "Protection Relay", "related_asset_sectors": ["Electric"], "description": "A protection relay is a type of IED used within the electric sector to monitor for faults or problematic operating conditions on power lines, busses, or transformers. While traditionally protection relays were electromechanical or electromagnetic devices, modern relays utilize microprocessors, embedded operating system, and SCADA communications."}, {"name": "Field Device / Controller", "related_asset_sectors": [], "description": "IEDs may be referred to as Field Controllers or Field Devices as a general function name. "}], "x_mitre_platforms": ["Embedded"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "created": "2023-09-28T14:46:42.566Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0005", "external_id": "A0005"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-16T18:49:26.400Z", "name": "Routers", "description": "A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.(Citation: IETF RFC4949 2007)", "x_mitre_sectors": ["General"], "x_mitre_platforms": ["Embedded"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "created": "2023-09-29T18:55:09.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0014", "external_id": "A0014"}, {"source_name": "IETF RFC4949 2007", "description": "Internet Engineering Task Force. (2007, August). Internet Security Glossary, Version 2. Retrieved September 29, 2023.", "url": "https://www.ietf.org/rfc/rfc4949.txt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-04T18:08:33.386Z", "name": "Data Gateway", "description": "Data Gateway is a device that supports the communication and exchange of data between different systems, networks, or protocols within the ICS. Different types of data gateways are used to perform various functions, including:\n\n * Protocol Translation: Enable communication to devices that support different or incompatible protocols by translating information from one protocol to another. \n * Media Converter: Convert data across different Layer 1 and 2 network protocols / mediums, for example, converting from Serial to Ethernet. \n * Data Aggregation: Collect and combine data from different devices into one consistent format and protocol interface. \n\nData gateways are often critical to the forwarding/transmission of critical control or monitoring data within the ICS. Further, these devices often have remote various network services that are used to communicate across different zones or networks. \n\nThese assets may focus on a single function listed below or combinations of these functions to best fit the industry use-case. \n", "x_mitre_sectors": ["General"], "x_mitre_related_assets": [{"name": "Data Acquisition Server (DAS)", "related_asset_sectors": ["General"], "description": "A Data Acquisition Server (DAS) a system or software platform that is used to collect, aggregate, and store data/telemetry from field devices using various SCADA/Automation protocols. "}, {"name": "Serial to Ethernet Gateway", "related_asset_sectors": ["Electric", "General"], "description": "A Serial to Ethernet gateway is a device that is used to connect field devices that only support serial-based communication (e.g., RS-232) with more modern Ethernet-based networks. "}], "x_mitre_platforms": ["Windows", "Linux", "Embedded"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "created": "2023-09-28T15:01:48.509Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0009", "external_id": "A0009"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:09:42.067Z", "name": "User Account Authentication", "description": "An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.\n\n*Data Collection Measures:*\n\n- Host-Based Authentication Logs\n - Windows Event Logs\n - Event ID 4776 \u2013 NTLM authentication attempt.\n - Event ID 4624 \u2013 Successful user logon.\n - Event ID 4625 \u2013 Failed authentication attempt.\n - Event ID 4648 \u2013 Explicit logon with alternate credentials.\n - Linux/macOS Authentication Logs\n - `/var/log/auth.log`, `/var/log/secure` \u2013 Logs SSH, sudo, and other authentication attempts.\n - AuditD \u2013 Tracks authentication events via PAM modules.\n - macOS Unified Logs \u2013 `/var/db/diagnostics` captures authentication failures.\n- Cloud Authentication Logs\n - Azure AD Logs\n - Sign-in Logs \u2013 Tracks authentication attempts, MFA challenges, and conditional access failures.\n - Audit Logs \u2013 Captures authentication-related configuration changes.\n - Microsoft Graph API \u2013 Provides real-time sign-in analytics.\n - Google Workspace & Office 365\n - Google Admin Console \u2013 `User Login Report` tracks login attempts and failures.\n - Office 365 Unified Audit Logs \u2013 Captures logins across Exchange, SharePoint, and Teams.\n - AWS CloudTrail & IAM\n - Tracks authentication via `AWS IAM AuthenticateUser` and `sts:GetSessionToken`.\n - Logs failed authentications to AWS Management Console and API requests.\n- Container Authentication Monitoring\n - Kubernetes Authentication Logs\n - kubectl audit logs \u2013 Captures authentication attempts for service accounts and admin users.\n - Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) \u2013 Logs IAM authentication events.", "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2023-10-04T17:59:11.489Z", "name": "Human-Machine Interface (HMI)", "description": "Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.", "x_mitre_sectors": ["General"], "x_mitre_related_assets": [{"name": "Operator Workstation (OWS)", "related_asset_sectors": ["General"], "description": "An Operator Workstation (OWS) or Console is a system or device used by an operator to interface with a control system, including to access/visualizes key information or parameters about the operational process and initiate control actions. This typically consists of specialized OWS software installed on a Workstation platform. (Citation: IEC February 2019)"}], "x_mitre_platforms": ["Windows", "Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "created": "2023-09-28T14:38:54.407Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0002", "external_id": "A0002"}, {"source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", "created": "2021-10-20T15:05:19.275Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:01.621Z", "name": "Network Share Access", "description": "Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)\n\n*Data Collection Measures:*\n\n- Windows:\n - Event ID 5140 \u2013 Network Share Object Access Logs every access attempt to a network share.\n - Event ID 5145 \u2013 Detailed Network Share Object Access Captures granular access control information, including the requesting user, source IP, and access permissions.\n - Sysmon Event ID 3 \u2013 Network Connection Initiated Helps track SMB connections to suspicious or unauthorized network shares.\n - Enable Audit Policy for Network Share Access: `auditpol /set /subcategory:\"File Share\" /success:enable /failure:enable`\n - Enable PowerShell Logging to Detect Unauthorized SMB Access: `Set-ExecutionPolicy RemoteSigned`\n - Restrict Network Share Access with Group Policy (GPO): `Computer Configuration \u2192 Windows Settings \u2192 Security Settings \u2192 Local Policies \u2192 User Rights Assignment` Set \"Access this computer from the network\" to restrict unauthorized accounts.\n- Linux/macOS:\n - AuditD (`open`, `read`, `write`, `connect` syscalls) Detects access to NFS, CIFS, and SMB network shares.\n - Lsof (`lsof | grep nfs` or `lsof | grep smb`) Identifies active network share connections.\n - Mount (`mount | grep nfs` or `mount | grep cifs`) Lists currently mounted network shares.\n - Enable AuditD for SMB/NFS Access: `auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_access`\n - Monitor Active Network Shares Using Netstat: `netstat -an | grep :445`\n- Endpoint Detection & Response (EDR):\n - Detects abnormal network share access behavior, such as unusual account usage, large file transfers, or encrypted file activity.", "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-11-17T16:15:02.223Z", "name": "Triton Safety Instrumented System Attack", "description": "[Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)\n", "aliases": ["Triton Safety Instrumented System Attack"], "first_seen": "2017-06-01T04:00:00.000Z", "last_seen": "2017-08-01T04:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: Triton-EENews-2017)", "x_mitre_last_seen_citation": "(Citation: Triton-EENews-2017)", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", "id": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "created": "2024-03-25T17:47:37.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0030", "external_id": "C0030"}, {"source_name": "Triton-EENews-2017", "description": "Blake Sobczak. (2019, March 7). The inside story of the world\u2019s most dangerous malware. Retrieved March 25, 2024.", "url": "https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/"}, {"source_name": "FireEye TRITON 2017", "description": "Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}, {"source_name": "FireEye TRITON 2018", "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack", "enterprise-attack"]}, {"modified": "2024-01-08T20:40:31.822Z", "name": "Dragonfly", "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)", "aliases": ["Dragonfly", "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard", "BROMINE"], "x_mitre_deprecated": false, "x_mitre_version": "4.0", "x_mitre_contributors": ["Dragos Threat Intelligence"], "type": "intrusion-set", "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "created": "2017-05-31T21:32:05.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0035", "external_id": "G0035"}, {"source_name": "DYMALLOY", "description": "(Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)"}, {"source_name": "Berserk Bear", "description": "(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)"}, {"source_name": "TEMP.Isotope", "description": "(Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)"}, {"source_name": "Ghost Blizzard", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "BROMINE", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "Crouching Yeti", "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)"}, {"source_name": "IRON LIBERTY", "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)"}, {"source_name": "TG-4192", "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)"}, {"source_name": "Dragonfly", "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)"}, {"source_name": "Energetic Bear", "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)"}, {"source_name": "CISA AA20-296A Berserk Bear December 2020", "description": "CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions"}, {"source_name": "DOJ Russia Targeting Critical Infrastructure March 2022", "description": "Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.", "url": "https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical"}, {"source_name": "Dragos DYMALLOY ", "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", "url": "https://www.dragos.com/threat/dymalloy/"}, {"source_name": "Fortune Dragonfly 2.0 Sept 2017", "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/"}, {"source_name": "Mandiant Ukraine Cyber Threats January 2022", "description": "Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.", "url": "https://www.mandiant.com/resources/ukraine-crisis-cyber-threats"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "Secureworks MCMD July 2019", "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", "url": "https://www.secureworks.com/research/mcmd-malware-analysis"}, {"source_name": "Secureworks IRON LIBERTY July 2019", "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.", "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector"}, {"source_name": "Secureworks Karagany July 2019", "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.", "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector"}, {"source_name": "Gigamon Berserk Bear October 2021", "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf"}, {"source_name": "Symantec Dragonfly Sept 2017", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers"}, {"source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"}, {"source_name": "Symantec Dragonfly 2.0 October 2017", "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks"}, {"source_name": "UK GOV FSB Factsheet April 2022", "description": "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.", "url": "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:07.996Z", "name": "File Access", "description": "To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: \n\n- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.\n- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).\n- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows).\n- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).\n- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).\n\nThis data component can be collected through the following measures:\n\nWindows\n\n- Windows Event Logs: Event ID 4663: Captures file system auditing details, including who accessed the file, access type, and file name.\n- Sysmon:\n - Event ID 11: Logs file creation time changes.\n - Event ID 1 (process creation): Can provide insight into files executed.\n- PowerShell: Commands to monitor file access in real-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}`\n\nLinux\n\n- Auditd: Monitor file access events using audit rules: `auditctl -w /path/to/file -p rwxa -k file_access`\n- View logs: `ausearch -k file_access`\n- Inotify: Use inotify to track file access on Linux: `inotifywait -m /path/to/watch -e access`\n\nmacOS\n\n- Unified Logs: Monitor file access using the macOS Unified Logging System.\n- FSEvents: File System Events can track file accesses: `fs_usage | grep open`\n\nNetwork Devices\n\n- SMB/CIFS Logs: Monitor file access over network shares using logs from SMB or CIFS protocol.\n- NAS Logs: Collect logs from network-attached storage systems for file access events.\n\nSIEM Integration\n\n- Collect file access logs from all platforms (Windows, Linux, macOS) and centralize in a SIEM for correlation and analysis.", "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-08-14T15:24:19.141Z", "name": "HEXANE", "description": "[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)", "aliases": ["HEXANE", "Lyceum", "Siamesekitten", "Spirlin"], "x_mitre_deprecated": false, "x_mitre_version": "2.3", "x_mitre_contributors": ["Dragos Threat Intelligence", "Mindaugas Gudzis, BT Security"], "type": "intrusion-set", "id": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1001", "external_id": "G1001"}, {"source_name": "Spirlin", "description": "(Citation: Accenture Lyceum Targets November 2021)"}, {"source_name": "Siamesekitten", "description": "(Citation: ClearSky Siamesekitten August 2021)"}, {"source_name": "Lyceum", "description": "(Citation: SecureWorks August 2019)"}, {"source_name": "Accenture Lyceum Targets November 2021", "description": "Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.", "url": "https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns"}, {"source_name": "ClearSky Siamesekitten August 2021", "description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By \u201cSiamesekitten\u201d - Lyceum. Retrieved June 6, 2022.", "url": "https://www.clearskysec.com/siamesekitten/"}, {"source_name": "Dragos Hexane", "description": "Dragos. (n.d.). Hexane. Retrieved October 27, 2019.", "url": "https://dragos.com/resource/hexane/"}, {"source_name": "Kaspersky Lyceum October 2021", "description": "Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.", "url": "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf"}, {"source_name": "SecureWorks August 2019", "description": "SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 ", "url": "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:11.410Z", "name": "File Modification", "description": "Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: \n\n- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\\Windows\\System32\\drivers\\etc\\hosts` on Windows.\n- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows.\n- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.\n- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows.\n- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries.\n\nThis data component can be collected through the following measures:\n\nWindows\n\n- Event Logs: Enable file system auditing to monitor file modifications using Security Event ID 4670 (File System Audit) or Sysmon Event ID 2 (File creation time changed).\n- PowerShell: Use Get-ItemProperty or Get-Acl cmdlets to monitor file properties: `Get-Item -Path \"C:\\path\\to\\file\" | Select-Object Name, Attributes, LastWriteTime`\n\nLinux\n\n- File System Monitoring: Use tools like auditd with rules to monitor file modifications: `auditctl -w /path/to/file -p wa -k file_modification`\n- Inotify: Use inotifywait to watch for real-time changes to files or directories: `inotifywait -m /path/to/file`\n\nmacOS\n\n- Endpoint Security Framework (ESF): Monitor file modification events using ESF APIs.\n- Audit Framework: Configure audit rules to track file changes.\n- Command-Line Tools: Use fs_usage to monitor file activities: `fs_usage -w /path/to/file`\n\nSIEM Tools\n\n- Collect logs from endpoint agents (e.g., Sysmon, Auditd) and file servers to centralize file modification event data.", "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2023-10-04T19:26:49.788Z", "name": "Field I/O", "description": "Field I/O are devices that communicate with a controller or data aggregator to either send input data or receive output data. Input data may include readings about a given environment/device state from sensors, while output data may include data sent back to actuators for them to either undertake actions or change parameter values.(Citation: Guidance - NIST SP800-82) These devices are frequently embedded devices running on lightweight embedded operating systems or RTOSes. ", "x_mitre_related_assets": [{"name": "Smart Sensors", "related_asset_sectors": ["General"], "description": "*A device that procures a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow).* (Citation: Guidance - NIST SP800-82) Smart sensors take this functionality and add on on-device processing and network communication."}, {"name": "Variable Frequency Drive (VFD)", "related_asset_sectors": ["General"], "description": "*A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not.* (Citation: Guidance - NIST SP800-82) VFDs can be network connected."}], "x_mitre_platforms": ["Embedded"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "created": "2023-09-28T17:57:22.946Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0013", "external_id": "A0013"}, {"source_name": "Guidance - NIST SP800-82", "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:27.797Z", "name": "Process Creation", "description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - EDRs provide process telemetry, tracking execution flows and arguments.\n- Windows Event Logs:\n - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process.\n- Sysmon (Windows):\n - Event ID 1 (Process Creation): Provides detailed logging\n- Linux/macOS Monitoring:\n - AuditD (execve syscall): Logs process creation.\n - eBPF/XDP: Used for low-level monitoring of system calls related to process execution.\n - OSQuery: Allows SQL-like queries to track process events (process_events table).\n - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS.\n- Network-Based Monitoring:\n - Zeek (Bro) Logs: Captures network-based process execution related to remote shells.\n - Syslog/OSSEC: Tracks execution of processes on distributed systems.\n- Behavioral SIEM Rules:\n - Monitor process creation for uncommon binaries in user directories.\n - Detect processes with suspicious command-line arguments. ", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:51.004Z", "name": "Service Metadata", "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "created": "2022-05-11T16:22:58.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:36.694Z", "name": "Process/Event Alarm", "description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)", "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2023-10-04T17:57:56.558Z", "name": "Data Historian", "description": "Data historians, or historian, are systems used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices. The historian typically utilizes a database to store this data, and commonly provide tools and interfaces to support the analysis of the data. Data historians are often used to support various engineering or business analysis functions and therefore commonly needs access from the corporate network. Data historians often work in a hierarchical paradigm where lower/site level historians collect and store data which is then aggregated into a site/plant level historian. Therefore, data historians often have remote services that can be accessed externally from the ICS network.", "x_mitre_sectors": ["General"], "x_mitre_platforms": ["Windows", "Linux", "Embedded"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "created": "2023-09-28T14:48:36.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0006", "external_id": "A0006"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-04T18:05:43.237Z", "name": "Remote Terminal Unit (RTU)", "description": "A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.", "x_mitre_sectors": ["Electric", "Water and Wastewater", "General"], "x_mitre_platforms": ["Embedded", "Windows", "Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "created": "2023-09-28T14:44:54.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0004", "external_id": "A0004"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-16T18:49:08.504Z", "name": "Safety Controller", "description": "Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.", "x_mitre_related_assets": [{"name": "Safety Instrumented System (SIS) controller", "related_asset_sectors": [], "description": "SIS controllers are used to \u201ctake the process to a safe state when predetermined conditions are violated\u201d (Citation: Guidance - NIST SP800-82) through the reading of sensor data and interaction with digital/physical control surfaces. These devices are oftentimes located on programmable embedded devices running specialized RTOS or other embedded operating systems. "}, {"name": "Emergency Shutdown Systems (ESD) controller", "related_asset_sectors": [], "description": "Emergency Shutdown System controllers are used to read sensor values and interact with control surfaces to return the system \u201cto a safe static condition so that any remedial action can be taken\u201d. (Citation: SIGTTO ESD 2021)"}, {"name": "Burner Management Systems (BMS) controller", "related_asset_sectors": [], "description": "Burner Management System controllers are used to interact with sensors and control surfaces to maintain safe operating conditions for the burner. These can include safely starting-up and managing the main flame, controlling and monitoring the burning conditions, and safely initiating planned or unplanned shutdown sequences."}], "x_mitre_platforms": ["Embedded"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "created": "2023-09-28T15:10:05.534Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0010", "external_id": "A0010"}, {"source_name": "Guidance - NIST SP800-82", "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "SIGTTO ESD 2021", "description": "Society of International Gas Tanker & Terminal Operators Ltd. (2021). ESD Systems: Recommendations for Emergency Shutdown and Related Safety Systems (Second Edition). Retrieved September 28, 2023.", "url": "https://sigtto.org/media/3457/sigtto-2021-esd-systems.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:16.672Z", "name": "Network Traffic Content", "description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n - Wireshark / tcpdump / tshark\n - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n - Zeek (formerly Bro)\n - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n - Suricata / Snort (IDS/IPS with PCAP Logging)\n - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.", "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2023-10-04T18:03:06.811Z", "name": "Jump Host", "description": "Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts. ", "x_mitre_sectors": ["General"], "x_mitre_related_assets": [{"name": "Intermediate System", "related_asset_sectors": ["Electric"], "description": "A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users.(Citation: North American Electric Reliability Corporation June 2021)"}], "x_mitre_platforms": ["Windows", "Linux", "Embedded"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "created": "2023-09-28T17:52:53.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0012", "external_id": "A0012"}, {"source_name": "North American Electric Reliability Corporation June 2021", "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-04T18:09:21.296Z", "name": "Programmable Logic Controller (PLC)", "description": "A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 (Citation: IEC February 2013), which define the set of tasks and program organizational units (POUs) included in the device\u2019s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.", "x_mitre_sectors": ["General"], "x_mitre_related_assets": [{"name": "Process Automation Controller (PAC)", "related_asset_sectors": ["General"], "description": "Process Automation Controllers (PAC) share much of the same functionality as a PLC. PACs may include advanced features for process control, motion control, drive control, and vision applications. PACs may include additional features such as options to program in traditional programming languages such as C and C++ in addition to 61131 programming languages in order to support these more advanced controls. "}, {"name": "Field Device / Controller", "related_asset_sectors": [], "description": "Programmable Logic Controller (PLC) may be referred to as Field Controllers or Field Devices as a general function name. "}], "x_mitre_platforms": ["Embedded"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "created": "2023-09-28T14:43:05.105Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0003", "external_id": "A0003"}, {"source_name": "IEC February 2013", "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", "url": "https://webstore.iec.ch/publication/4552"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:54.408Z", "name": "Service Creation", "description": "The registration of a new service or daemon on an operating system.\n\n*Data Collection Measures:*\n\n- Windows Event Logs\n - Event ID 4697 - Captures the creation of a new Windows service.\n - Event ID 7045 - Captures services installed by administrators or adversaries.\n - Event ID 7034 - Could indicate malicious service modification or exploitation.\n- Sysmon Logs\n - Sysmon Event ID 1 - Process Creation (captures service executables).\n - Sysmon Event ID 4 - Service state changes (detects service installation).\n - Sysmon Event ID 13 - Registry modifications (captures service persistence changes).\n- PowerShell Logging\n - Monitor `New-Service` and `Set-Service` PowerShell cmdlets in Event ID 4104 (Script Block Logging).\n- Linux/macOS Collection Methods\n - AuditD & Syslog Daemon Logs (`/var/log/syslog`, `/var/log/messages`, `/var/log/daemon.log`)\n - AuditD Rules:\n - `auditctl -w /etc/systemd/system -p wa -k service_creation`\n - Detects changes to `systemd` service configurations.\n- Systemd Journals (`journalctl -u `)\n - Captures newly created systemd services.\n- LaunchDaemons & LaunchAgents (macOS)\n - Monitor `/Library/LaunchDaemons/` and `/Library/LaunchAgents/` for new plist files.", "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:31.145Z", "name": "OS API Execution", "description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - Leverage tools to monitor API execution behaviors at the process level.\n - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation.\n- Process Monitor (ProcMon):\n - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis.\n- Windows Event Logs:\n - Use Event IDs from Windows logs for specific API-related activities:\n - Event ID 4688: A new process has been created (can indirectly infer API use).\n - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs).\n- Dynamic Analysis Tools:\n - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation.\n- Host-Based Logs:\n - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to.\n- Runtime Monitors:\n - Runtime security tools like Falco can monitor system-level calls for API execution.\n- Debugging and Tracing:\n - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:30.145Z", "name": "Command Execution", "description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n - dir \u2013 Lists directory contents.\n - net user \u2013 Queries or manipulates user accounts.\n - tasklist \u2013 Lists running processes.\n- PowerShell\n - Get-Process \u2013 Retrieves processes running on a system.\n - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n - ls \u2013 Lists files in a directory.\n - cat /etc/passwd \u2013 Reads the user accounts file.\n - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n - docker exec \u2013 Executes a command inside a running container.\n - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n - open \u2013 Opens files or URLs.\n - dscl . -list /Users \u2013 Lists all users on the system.\n - osascript -e \u2013 Executes AppleScript commands.\n\nThis data component can be collected through the following measures:\n\nEnable Command Logging\n\n- Windows:\n - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" -Name EnableScriptBlockLogging -Value 1`\n - Enable Windows Event Logging:\n - Event ID 4688: Tracks process creation, including command-line arguments.\n - Event ID 4104: Logs PowerShell script block execution.\n- Linux/macOS:\n - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT=\"%d/%m/%y %T \"`, `export PROMPT_COMMAND='history -a; history -w'`\n - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec`\n- Containers:\n - Use runtime-specific tools like Docker\u2019s --log-driver or Kubernetes Audit Logs to capture exec commands.\n\nIntegrate with Centralized Logging\n\n- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688:\n`index=windows EventID=4688 CommandLine=*`\n\nUse Endpoint Detection and Response (EDR) Tools\n\n- Monitor command executions via EDR solutions \n\nDeploy Sysmon for Advanced Logging (Windows)\n\n- Use Sysmon's Event ID 1 to log process creation with command-line arguments", "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-04-11T16:06:34.700Z", "name": "APT33", "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.(Citation: FireEye APT33 Sept 2017)(Citation: FireEye APT33 Webinar Sept 2017)", "aliases": ["APT33", "HOLMIUM", "Elfin", "Peach Sandstorm"], "x_mitre_deprecated": false, "x_mitre_version": "2.0", "x_mitre_contributors": ["Dragos Threat Intelligence"], "type": "intrusion-set", "id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0064", "external_id": "G0064"}, {"source_name": "APT33", "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)"}, {"source_name": "HOLMIUM", "description": "(Citation: Microsoft Holmium June 2020)"}, {"source_name": "Peach Sandstorm", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "Elfin", "description": "(Citation: Symantec Elfin Mar 2019)"}, {"source_name": "FireEye APT33 Webinar Sept 2017", "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.", "url": "https://www.brighttalk.com/webcast/10703/275683"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "Microsoft Holmium June 2020", "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.", "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/"}, {"source_name": "FireEye APT33 Sept 2017", "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"}, {"source_name": "Symantec Elfin Mar 2019", "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.", "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-04T18:09:59.538Z", "name": "Control Server", "description": "Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.", "x_mitre_sectors": ["General"], "x_mitre_related_assets": [{"name": "Supervisory Control And Data Acquisition (SCADA) Server", "related_asset_sectors": ["General", "Electric", "Water and Wastewater"], "description": "A SCADA server is used to perform monitoring and control across a distributed environment. It typically has an associated HMI to provide information to a human operator and heavily depends on the human operator to initiate control actions."}, {"name": "Master Terminal Unit (MTU)", "related_asset_sectors": ["General"], "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)"}, {"name": "Supervisory controller", "related_asset_sectors": ["General"], "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)"}, {"name": "Distribution/Energy Management System (DMS/EMS)", "related_asset_sectors": ["Electric"], "description": "A DMS and EMS are electric sector specific devices that are commonly used to manage distribution and transmission-level electrical grids. These platforms typically integrate a SCADA server and HMI with domain-specific data analysis applications, such as state-estimation and contingency analysis (EMS), or voltage-var control or fault restoration (DMS). "}], "x_mitre_platforms": ["Windows", "Linux"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "created": "2023-09-28T14:55:39.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0007", "external_id": "A0007"}, {"source_name": "Guidance - NIST SP800-82", "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:20.168Z", "name": "Network Traffic Flow", "description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.\n\n*Data Collection Measures:*\n\n- Network Flow Logs (Metadata Collection)\n - NetFlow \n - Summarized metadata for network conversations (no packet payloads).\n - sFlow (Sampled Flow Logging)\n - Captures sampled packets from switches and routers.\n - Used for real-time traffic monitoring and anomaly detection.\n - Zeek (Bro) Flow Logs\n - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc.\n- Host-Based Collection\n - Sysmon Event ID 3 \u2013 Network Connection Initiated\n - Logs process-level network activity, useful for detecting malicious outbound connections.\n - AuditD (Linux) \u2013 syscall=connect\n - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Flow Monitoring\n - AWS VPC Flow Logs\n - Captures metadata for traffic between EC2 instances, security groups, and internet gateways.\n - Azure NSG Flow Logs / Google VPC Flow Logs\n - Logs ingress/egress traffic for cloud-based resources.", "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "created": "2022-05-11T16:22:58.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:36.842Z", "name": "Process History/Live Data", "description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices", "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "intrusion-set", "id": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "created": "2017-05-31T21:31:57.307Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1000", "external_id": "G1000"}, {"source_name": "Dragos", "description": "Dragos Allanite Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/allanite/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:23.407Z", "name": "ALLANITE", "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)", "aliases": ["ALLANITE", "Palmetto Fusion"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Dragos Threat Intelligence"]}, {"modified": "2023-10-04T18:07:59.333Z", "name": "Virtual Private Network (VPN) Server", "description": "A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.", "x_mitre_sectors": ["General"], "x_mitre_related_assets": [{"name": "Virtual Private Network (VPN) terminator", "related_asset_sectors": ["General"], "description": "A VPN terminator is a device performs the role of either a VPN client or server to support the establishment of VPN connection. (Citation: IEC February 2019)"}, {"name": "Field VPN", "related_asset_sectors": ["General"], "description": "Field VPN are typically deployed at remote outstations and are used to create secure connections to VPN servers within data/control center environments. "}], "x_mitre_platforms": ["Windows", "Linux", "Embedded"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "type": "x-mitre-asset", "id": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "created": "2023-09-28T15:13:07.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/assets/A0011", "external_id": "A0011"}, {"source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-12-04T21:17:08.593Z", "name": "Sandworm Team", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", "aliases": ["Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44"], "x_mitre_deprecated": false, "x_mitre_version": "4.2", "x_mitre_contributors": ["Dragos Threat Intelligence", "Hakan KARABACAK"], "type": "intrusion-set", "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "created": "2017-05-31T21:32:04.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0034", "external_id": "G0034"}, {"source_name": "Voodoo Bear", "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "ELECTRUM", "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "Sandworm Team", "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "Quedagh", "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "FROZENBARENTS", "description": "(Citation: Leonard TAG 2023)"}, {"source_name": "APT44", "description": "(Citation: mandiant_apt44_unearthing_sandworm)"}, {"source_name": "IRIDIUM", "description": "(Citation: Microsoft Prestige ransomware October 2022)"}, {"source_name": "Seashell Blizzard", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "BlackEnergy (Group)", "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "Telebots", "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "IRON VIKING", "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "Leonard TAG 2023", "description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.", "url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"}, {"source_name": "US District Court Indictment GRU Oct 2018", "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", "url": "https://www.justice.gov/opa/page/file/1098481/download"}, {"source_name": "Dragos ELECTRUM", "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", "url": "https://www.dragos.com/resource/electrum/"}, {"source_name": "F-Secure BlackEnergy 2014", "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"}, {"source_name": "iSIGHT Sandworm 2014", "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"}, {"source_name": "CrowdStrike VOODOO BEAR", "description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.", "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "Microsoft Prestige ransomware October 2022", "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"}, {"source_name": "InfoSecurity Sandworm Oct 2014", "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.", "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/"}, {"source_name": "NCSC Sandworm Feb 2020", "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory"}, {"source_name": "USDOJ Sandworm Feb 2020", "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024.", "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html"}, {"source_name": "mandiant_apt44_unearthing_sandworm", "description": "Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.", "url": "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"}, {"source_name": "US District Court Indictment GRU Unit 74455 October 2020", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", "url": "https://www.justice.gov/opa/press-release/file/1328521/download"}, {"source_name": "Secureworks IRON VIKING ", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking"}, {"source_name": "UK NCSC Olympic Attacks October 2020", "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "ics-attack", "mobile-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "created": "2022-05-11T16:22:58.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:36.998Z", "name": "Device Alarm", "description": "This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes", "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:39.543Z", "name": "Scheduled Job Metadata", "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2025-03-05T22:12:26.131Z", "name": "FrostyGoop Incident", "description": "[FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041) took place in January 2024 against a municipal district heating company in Ukraine. Following initial access via likely exploitation of external facing services, [FrostyGoop](https://attack.mitre.org/software/S1165) was used to manipulate ENCO control systems via legitimate Modbus commands to impact the delivery of heating services to Ukrainian civilians.(Citation: Dragos FROSTYGOOP 2024)(Citation: Nozomi BUSTLEBERM 2024)", "aliases": ["FrostyGoop Incident"], "first_seen": "2024-01-01T07:00:00.000Z", "last_seen": "2024-01-01T07:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: Dragos FROSTYGOOP 2024)", "x_mitre_last_seen_citation": "(Citation: Dragos FROSTYGOOP 2024)", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", "id": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f", "created": "2024-11-20T23:15:36.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0041", "external_id": "C0041"}, {"source_name": "Dragos FROSTYGOOP 2024", "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"}, {"source_name": "Nozomi BUSTLEBERM 2024", "description": "Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024.", "url": "https://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack", "enterprise-attack"]}, {"type": "campaign", "id": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", "created": "2023-03-31T17:22:23.567Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0025", "external_id": "C0025"}, {"source_name": "ESET Industroyer", "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}, {"source_name": "Dragos Crashoverride 2018", "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:37:46.567Z", "name": "2016 Ukraine Electric Power Attack", "description": "[2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", "aliases": ["2016 Ukraine Electric Power Attack"], "first_seen": "2016-12-01T05:00:00.000Z", "last_seen": "2016-12-01T05:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", "x_mitre_last_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["enterprise-attack", "ics-attack"]}, {"type": "campaign", "id": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "created": "2023-03-10T20:01:08.133Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0020", "external_id": "C0020"}, {"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:23.900Z", "name": "Maroochy Water Breach", "description": "[Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020) was an incident in 2000 where an adversary leveraged the local government\u2019s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.(Citation: Marshall Abrams July 2008)", "aliases": ["Maroochy Water Breach"], "first_seen": "2000-02-01T05:00:00.000Z", "last_seen": "2000-04-01T05:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: Marshall Abrams July 2008)", "x_mitre_last_seen_citation": "(Citation: Marshall Abrams July 2008)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["ics-attack"]}, {"modified": "2024-04-15T19:37:46.084Z", "name": "Unitronics Defacement Campaign", "description": "The [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031) was a collection of intrusions across multiple sectors by the [CyberAv3ngers](https://attack.mitre.org/groups/G1027), where threat actors engaged in a seemingly opportunistic and global targeting and defacement of Unitronics Vision Series [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) with [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). The sectors that these PLCs can be commonly found in are water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the PLCs' HMIs.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: Frank Bajak and Marc Levy December 2023)", "aliases": ["Unitronics Defacement Campaign"], "first_seen": "2023-11-01T04:00:00.000Z", "last_seen": "2023-11-01T04:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: CISA AA23-335A IRGC-Affiliated December 2023)", "x_mitre_last_seen_citation": "(Citation: Lisa Zahner December 2023)", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", "id": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", "created": "2024-03-25T19:58:53.090Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0031", "external_id": "C0031"}, {"source_name": "CISA AA23-335A IRGC-Affiliated December 2023", "description": "DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"}, {"source_name": "Frank Bajak and Marc Levy December 2023", "description": "Frank Bajak and Marc Levy. (2023, December 2). Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say. Retrieved March 25, 2024.", "url": "https://apnews.com/article/hackers-iran-israel-water-utilities-critical-infrastructure-cisa-554b2aa969c8220016ab2ef94bd7635b"}, {"source_name": "Lisa Zahner December 2023", "description": "Lisa Zahner. (2023, December 15). Hackers in Iran attack computer at Vero Utilities. Retrieved March 25, 2024.", "url": "https://veronews.com/2023/12/15/hackers-in-iran-attack-computer-at-vero-utilities/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"]}, {"type": "intrusion-set", "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0074", "external_id": "G0074"}, {"source_name": "DYMALLOY", "description": "(Citation: Dragos DYMALLOY )"}, {"source_name": "Berserk Bear", "description": "(Citation: Fortune Dragonfly 2.0 Sept 2017)"}, {"source_name": "IRON LIBERTY", "description": "(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)"}, {"source_name": "Dragonfly 2.0", "description": "(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)"}, {"source_name": "Dragos DYMALLOY ", "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", "url": "https://www.dragos.com/threat/dymalloy/"}, {"source_name": "Fortune Dragonfly 2.0 Sept 2017", "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/"}, {"source_name": "Secureworks MCMD July 2019", "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", "url": "https://www.secureworks.com/research/mcmd-malware-analysis"}, {"source_name": "Secureworks IRON LIBERTY", "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty"}, {"source_name": "Symantec Dragonfly Sept 2017", "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"}, {"source_name": "US-CERT TA18-074A", "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.", "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T17:59:27.618Z", "name": "Dragonfly 2.0", "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", "aliases": ["Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:14.725Z", "name": "File Metadata", "description": "contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: \n\n- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\\Windows\\System32\\config\\SAM on Windows.\n- Timestamps: Analyzing the creation, modification, and access timestamps of a file.\n- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.\n- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.\n- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.\n- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.\n\nThis data component can be collected through the following measures:\n\nWindows\n\n- Sysinternals Tools: Use `AccessEnum` or `PSFile` to retrieve metadata about file access and permissions.\n- Windows Event Logs: Enable object access auditing and monitor events like 4663 (Object Access) and 5140 (A network share object was accessed).\n- PowerShell: Use Get-Item or Get-ChildItem cmdlets: `Get-ChildItem -Path \"C:\\Path\\To\\Directory\" -Recurse | Select-Object Name, Length, LastWriteTime, Attributes`\n\nLinux\n\n- File System Commands: Use `ls -l` or stat to retrieve file metadata: `stat /path/to/file`\n- Auditd: Configure audit rules to log metadata access: `auditctl -w /path/to/file -p wa -k file_metadata`\n- Filesystem Integrity Tools: Tools like tripwire or AIDE (Advanced Intrusion Detection Environment) can monitor file metadata changes.\n\nmacOS\n\n- FSEvents: Use FSEvents to track file metadata changes.\n- Endpoint Security Framework (ESF): Capture metadata-related events via ESF APIs.\n- Command-Line Tools: Use ls -l or xattr for file attributes: `ls -l@ /path/to/file`\n\nSIEM Integration\n\n- Forward file metadata logs from endpoint or network devices to a SIEM for centralized analysis.", "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", "created": "2022-09-23T16:34:00.912Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:50.339Z", "name": "Asset Inventory", "description": "This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)", "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "intrusion-set", "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "created": "2017-05-31T21:32:03.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0032", "external_id": "G0032"}, {"source_name": "Labyrinth Chollima", "description": "(Citation: CrowdStrike Labyrinth Chollima Feb 2022)"}, {"source_name": "Diamond Sleet", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "ZINC", "description": "(Citation: Microsoft ZINC disruption Dec 2017)"}, {"source_name": "Lazarus Group", "description": "(Citation: Novetta Blockbuster)"}, {"source_name": "NICKEL ACADEMY", "description": "(Citation: Secureworks NICKEL ACADEMY Dec 2017)"}, {"source_name": "Guardians of Peace", "description": "(Citation: US-CERT HIDDEN COBRA June 2017)"}, {"source_name": "CrowdStrike Labyrinth Chollima Feb 2022", "description": "CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.", "url": "https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "Novetta Blockbuster", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.", "url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"}, {"source_name": "Secureworks NICKEL ACADEMY Dec 2017", "description": "Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.", "url": "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing"}, {"source_name": "Microsoft ZINC disruption Dec 2017", "description": "Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.", "url": "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/"}, {"source_name": "HIDDEN COBRA", "description": "The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)"}, {"source_name": "Treasury North Korean Cyber Groups September 2019", "description": "US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.", "url": "https://home.treasury.gov/news/press-releases/sm774"}, {"source_name": "US-CERT HIDDEN COBRA June 2017", "description": "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA \u2013 North Korea\u2019s DDoS Botnet Infrastructure. Retrieved July 13, 2017.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A"}, {"source_name": "US-CERT HOPLIGHT Apr 2019", "description": "US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.", "url": "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T17:21:11.622Z", "name": "Lazarus Group", "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ", "aliases": ["Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "ZINC", "NICKEL ACADEMY", "Diamond Sleet"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "4.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Kyaw Pyiyt Htet, @KyawPyiytHtet", "Dragos Threat Intelligence", "MyungUk Han, ASEC", "Jun Hirata, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India"], "x_mitre_domains": ["enterprise-attack", "ics-attack"]}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:59.993Z", "name": "Windows Registry Key Modification", "description": "Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings.\n\n*Data Collection Measures:*\n\n- Windows Event Logs\n - Event ID 4657 - Registry Value Modified: Logs changes to registry values, including modifications to startup entries, security settings, or system configurations.\n- Sysmon (System Monitor) for Windows\n - Sysmon Event ID 13 - Registry Value Set: Captures changes to specific registry values.\n - Sysmon Event ID 14 - Registry Key & Value Renamed: Logs renaming of registry keys, which may indicate evasion attempts.\n- Endpoint Detection and Response (EDR) Solutions\n - Monitor registry modifications for suspicious behavior.", "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "campaign", "id": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", "created": "2022-09-20T20:53:14.373Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0009", "external_id": "C0009"}, {"source_name": "CISA AA21-042A Water Treatment Intrusion Feb 2021", "description": "CISA. (2021, February 11). Compromise of U.S. Water Treatment Facility . Retrieved October 18, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa21-042a"}, {"source_name": "Pinellas County Sheriffs Office February 2021", "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M"}, {"source_name": "Dragos Oldsmar Feb 2021", "description": "Serino, G., et al . (2021, February 8). Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack. Retrieved October 21, 2022.", "url": "https://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:54.375Z", "name": "Oldsmar Treatment Plant Intrusion", "description": "[Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)", "aliases": ["Oldsmar Treatment Plant Intrusion"], "first_seen": "2021-02-01T05:00:00.000Z", "last_seen": "2021-02-01T05:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)", "x_mitre_last_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["ics-attack"]}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:34.519Z", "name": "Process Termination", "description": "The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - Monitor process termination events.\n- Windows Event Logs:\n - Event ID 4689 (Process Termination) \u2013 Captures when a process exits, including process ID and parent process.\n - Event ID 7036 (Service Control Manager) \u2013 Monitors system service stops.\n- Sysmon (Windows):\n - Event ID 5 (Process Termination) \u2013 Detects when a process exits, including parent-child relationships.\n- Linux/macOS Monitoring:\n - AuditD (`execve`, `exit_group`, `kill` syscalls) \u2013 Captures process termination via command-line interactions.\n - eBPF/XDP: Monitors low-level system calls related to process termination.\n - OSQuery: The processes table can be queried for abnormal exits.", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2025-01-16T18:55:49.463Z", "name": "OilRig", "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)", "aliases": ["OilRig", "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452"], "x_mitre_deprecated": false, "x_mitre_version": "5.0", "x_mitre_contributors": ["Robert Falcone", "Bryan Lee", "Dragos Threat Intelligence", "Jaesang Oh, KC7 Foundation"], "type": "intrusion-set", "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0049", "external_id": "G0049"}, {"source_name": "IRN2", "description": "(Citation: Crowdstrike Helix Kitten Nov 2018)"}, {"source_name": "ITG13", "description": "(Citation: IBM ZeroCleare Wiper December 2019)"}, {"source_name": "Hazel Sandstorm", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "EUROPIUM", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "OilRig", "description": "(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)"}, {"source_name": "TA452", "description": "(Citation: Proofpoint Iranian Aligned Attacks JAN 2020)"}, {"source_name": "COBALT GYPSY", "description": "(Citation: Secureworks COBALT GYPSY Threat Profile)"}, {"source_name": "Crambus", "description": "(Citation: Symantec Crambus OCT 2023)"}, {"source_name": "Earth Simnavaz", "description": "(Citation: Trend Micro Earth Simnavaz October 2024)"}, {"source_name": "Helix Kitten", "description": "(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)"}, {"source_name": "Evasive Serpens", "description": "(Citation: Unit42 OilRig Playbook 2023)"}, {"source_name": "Check Point APT34 April 2021", "description": "Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.", "url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/"}, {"source_name": "ClearSky OilRig Jan 2017", "description": "ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.", "url": "http://www.clearskysec.com/oilrig/"}, {"source_name": "Trend Micro Earth Simnavaz October 2024", "description": "Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.", "url": "https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html"}, {"source_name": "Palo Alto OilRig May 2016", "description": "Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.", "url": "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"}, {"source_name": "Palo Alto OilRig April 2017", "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.", "url": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/"}, {"source_name": "Palo Alto OilRig Oct 2016", "description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.", "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/"}, {"source_name": "IBM ZeroCleare Wiper December 2019", "description": "Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.", "url": "https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/"}, {"source_name": "Unit 42 QUADAGENT July 2018", "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/"}, {"source_name": "Crowdstrike Helix Kitten Nov 2018", "description": "Meyers, A. (2018, November 27). Meet CrowdStrike\u2019s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.", "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "Proofpoint Iranian Aligned Attacks JAN 2020", "description": "Proofpoint. (2020, January 10). Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself. Retrieved January 16, 2025.", "url": "https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect"}, {"source_name": "FireEye APT34 Dec 2017", "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"}, {"source_name": "Secureworks COBALT GYPSY Threat Profile", "description": "Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.", "url": "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"}, {"source_name": "Symantec Crambus OCT 2023", "description": "Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.", "url": "https://www.security.com/threat-intelligence/crambus-middle-east-government"}, {"source_name": "APT34", "description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)"}, {"source_name": "Unit 42 Playbook Dec 2017", "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.", "url": "https://pan-unit42.github.io/playbook_viewer/"}, {"source_name": "Unit42 OilRig Playbook 2023", "description": "Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.", "url": "https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:18.072Z", "name": "File Creation", "description": "A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). \n\nThis data component can be collected through the following measures:\n\nWindows\n\n- Sysmon: Event ID 11: Logs file creation events, capturing details like the file path, hash, and creation time.\n- Windows Event Log: Enable \"Object Access\" auditing in Group Policy to track file creation under Event ID 4663.\n- PowerShell: Real-time monitoring of file creation:`Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}`\n\nLinux\n\n- Auditd: Use audit rules to monitor file creation: `auditctl -w /path/to/directory -p w -k file_creation`\n- View logs: `ausearch -k file_creation`\n- Inotify: Monitor file creation with inotifywait: `inotifywait -m /path/to/watch -e create`\n\nmacOS\n\n- Unified Logs: Use the macOS Unified Logging System to capture file creation events.\n- FSEvents: Use File System Events to monitor file creation: `fs_usage | grep create`\n\nNetwork Devices\n\n- NAS Logs: Monitor file creation events on network-attached storage devices.\n- SMB Logs: Collect logs of file creation activities over SMB/CIFS protocols.\n\nSIEM Integration\n\n- Forward logs from all platforms (Windows, Linux, macOS) to a SIEM for central analysis and alerting.", "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:16.486Z", "name": "Module Load", "description": "When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.\n\n*Data Collection Measures:*\n\n- Event Logging (Windows):\n - Sysmon Event ID 7: Logs when a DLL is loaded into a process.\n - Windows Security Event ID 4688: Captures process creation events, often useful for correlating module loads.\n - Windows Defender ATP: Can provide visibility into suspicious module loads.\n- Event Logging (Linux/macOS):\n - AuditD (`execve` and `open` syscalls): Captures when shared libraries (`.so` files) are loaded.\n - Ltrace/Strace: Monitors process behavior, including library calls (`dlopen`, `execve`).\n - MacOS Endpoint Security Framework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY_DYLD_INSERT_LIBRARIES`).\n- Endpoint Detection & Response (EDR): \n - Provide real-time telemetry on module loads and process injections.\n - Sysinternals Process Monitor (`procmon`): Captures loaded modules and their execution context.\n- Memory Forensics:\n - Volatility Framework (`malfind`, `ldrmodules`): Detects injected DLLs and anomalous module loads.\n - Rekall Framework: Useful for kernel-mode module detection.\n- SIEM and Log Analysis:\n - Centralized log aggregation to correlate suspicious module loads across the environment.\n - Detection rules using correlation searches and behavioral analytics.", "x_mitre_data_source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:23.075Z", "name": "Logon Session Metadata", "description": "Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it", "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:35.797Z", "name": "Drive Modification", "description": "The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples: \n\n- Drive Letter Reassignment: A USB drive previously assigned `E:\\` is reassigned to `D:\\` on a Windows machine.\n- Mount Point Change: On a Linux system, a mounted storage device at `/mnt/external` is moved to `/mnt/storage`.\n- Drive Permission Changes: A shared drive's permissions are modified to allow write access for unauthorized users or processes.\n- Renaming of a Drive: A network drive labeled \"HR_Share\" is renamed to \"Shared_Resources.\"\n- Modification of Cloud-Integrated Drives: A cloud storage mount such as Google Drive is modified to sync only specific folders.\n\nThis data component can be collected through the following measures:\n\nWindows Event Logs\n\n- Relevant Events:\n - Event ID 98: Indicates changes to a volume (e.g., drive letter reassignment).\n - Event ID 1006: Logs permission modifications or changes to removable storage.\n- Configuration: Enable \"Storage Operational Logs\" in the Event Viewer:\n`Applications and Services Logs > Microsoft > Windows > Storage-Tiering > Operational`\n\nLinux System Logs\n\n- Auditd Configuration: Add audit rules to track changes to mounted drives: `auditctl -w /mnt/ -p w -k drive_modification`\n- Command-Line Monitoring: Use `dmesg` or `journalctl` to observe drive modifications.\n\nmacOS System Logs\n\n- Unified Logs: Collect mount or drive modification events: `log show --info | grep \"Volume modified\"`\n- Command-Line Monitoring: Use `diskutil` to track changes:\n\nEndpoint Detection and Response (EDR) Tools\n\n- Configure policies in EDR solutions to monitor and log changes to drive configurations or attributes.\n\nSIEM Tools\n\n- Aggregate logs from multiple systems into a centralized platform like Splunk to correlate events and alert on suspicious drive modification activities.\n", "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-04-10T16:02:48.078Z", "name": "2022 Ukraine Electric Power Attack", "description": "The [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign that used a combination of GOGETTER, Neo-REGEORG, [CaddyWiper](https://attack.mitre.org/software/S0693), and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.(Citation: Mandiant-Sandworm-Ukraine-2022)(Citation: Dragos-Sandworm-Ukraine-2022) ", "aliases": ["2022 Ukraine Electric Power Attack"], "first_seen": "2022-06-01T04:00:00.000Z", "last_seen": "2022-10-01T04:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: Mandiant-Sandworm-Ukraine-2022)", "x_mitre_last_seen_citation": "(Citation: Mandiant-Sandworm-Ukraine-2022)", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", "id": "campaign--df8eb785-70f8-4300-b444-277ba849083d", "created": "2024-03-27T19:43:25.703Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0034", "external_id": "C0034"}, {"source_name": "Dragos-Sandworm-Ukraine-2022", "description": "Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024.", "url": "https://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/"}, {"source_name": "Mandiant-Sandworm-Ukraine-2022", "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.", "url": "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["enterprise-attack", "ics-attack"]}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", "created": "2022-09-23T16:36:08.632Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:53.563Z", "name": "Software", "description": "This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).", "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:26.544Z", "name": "Logon Session Creation", "description": "The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples: \n\n- Windows Systems\n - Event ID: 4624\n - Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP).\n - Account Name: JohnDoe\n - Source Network Address: 192.168.1.100\n - Authentication Package: NTLM\n- Linux Systems\n - /var/log/utmp or /var/log/wtmp:\n - Log format: login user [tty] from [source_ip]\n - User: jane\n - IP: 10.0.0.5\n - Timestamp: 2024-12-28 08:30:00\n- macOS Systems\n - /var/log/asl.log or unified logging framework:\n - Log: com.apple.securityd: Authentication succeeded for user 'admin'\n- Cloud Environments\n - Azure Sign-In Logs:\n - Activity: Sign-in successful\n - Client App: Browser\n - Location: Unknown (Country: X)\n- Google Workspace\n - Activity: Login\n - Event Type: successful_login\n - Source IP: 203.0.113.55\n\nThis data component can be collected through the following measures:\n\n- Windows Systems\n - Event Logs: Monitor Security Event Logs using Event ID 4624 for successful logons.\n - PowerShell Example: `Get-EventLog -LogName Security -InstanceId 4624`\n- Linux Systems\n - Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/var/log/auth.log` for logon events.\n - Tools: Use `last` or `who` commands to parse login records.\n- macOS Systems\n - Log Sources: Monitor `/var/log/asl.log` or Apple Unified Logs using the `log show` command.\n - Command Example: `log show --predicate 'eventMessage contains \"Authentication succeeded\"' --info`\n- Cloud Environments\n - Azure AD: Use Azure Monitor to analyze sign-in logs. Example CLI Query: `az monitor log-analytics query -w --analytics-query \"AzureActivity | where ActivityStatus == 'Success' and OperationName == 'Sign-in'\"`\n - Google Workspace: Enable and monitor Login Audit logs from the Admin Console.\n - Office 365: Use Audit Log Search in Microsoft 365 Security & Compliance Center for login-related events.\n- Network Logs\n - Sources: Network authentication mechanisms (e.g., RADIUS or TACACS logs).\n- Enable EDR Monitoring: \n - EDR tools monitor logon session activity, including the creation of new sessions.\n - Configure alerts for: Suspicious logon types (e.g., Logon Type 10 for RDP or Type 5 for Service). Logons from unusual locations, accounts, or devices.\n - Leverage EDR telemetry for session attributes like source IP, session duration, and originating process.", "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:37.873Z", "name": "Process Metadata", "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:46.164Z", "name": "Script Execution", "description": "The execution of a text file that contains code via the interpreter.\n\n*Data Collection Measures:*\n\n- Windows Event Logs:\n - Event ID 4104 (PowerShell Script Block Logging) \u2013 Captures full command-line execution of PowerShell scripts.\n - Event ID 4688 (Process Creation) \u2013 Detects script execution by tracking process launches (`powershell.exe`, `wscript.exe`, `cscript.exe`).\n - Event ID 5861 (Script Execution) \u2013 Captures script execution via Windows Defender AMSI logging.\n- Sysmon (Windows):\n - Event ID 1 (Process Creation) \u2013 Monitors script execution initiated by scripting engines.\n - Event ID 11 (File Creation) \u2013 Detects new script files written to disk before execution.\n- Endpoint Detection and Response (EDR) Tools:\n - Track script execution behavior, detect obfuscated commands, and prevent malicious scripts.\n- PowerShell Logging:\n - Enable Module Logging: Logs all loaded modules and cmdlets.\n - Enable Script Block Logging: Captures complete PowerShell script execution history.\n- SIEM Detection Rules:\n - Detect script execution with obfuscated, encoded, or remote URLs.\n - Alert on script executions using `-EncodedCommand` or `iex(iwr)`.", "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-04-17T22:09:41.004Z", "name": "FIN7", "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)", "aliases": ["FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest"], "x_mitre_deprecated": false, "x_mitre_version": "4.0", "x_mitre_contributors": ["Edward Millington"], "type": "intrusion-set", "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", "created": "2017-05-31T21:32:09.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0046", "external_id": "G0046"}, {"source_name": "Carbon Spider", "description": "(Citation: CrowdStrike Carbon Spider August 2021)"}, {"source_name": "FIN7", "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)"}, {"source_name": "ELBRUS", "description": "(Citation: Microsoft Ransomware as a Service)"}, {"source_name": "Sangria Tempest", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "GOLD NIAGARA", "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)"}, {"source_name": "Mandiant FIN7 Apr 2022", "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", "url": "https://www.mandiant.com/resources/evolution-of-fin7"}, {"source_name": "FireEye CARBANAK June 2017", "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html"}, {"source_name": "FireEye FIN7 April 2017", "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"}, {"source_name": "FireEye FIN7 Aug 2018", "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"}, {"source_name": "Secureworks GOLD NIAGARA Threat Profile", "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.", "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara"}, {"source_name": "FireEye FIN7 Shim Databases", "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html"}, {"source_name": "Morphisec FIN7 June 2017", "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.", "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry"}, {"source_name": "ITG14", "description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)"}, {"source_name": "CrowdStrike Carbon Spider August 2021", "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.", "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "Microsoft Ransomware as a Service", "description": "Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.", "url": "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"}, {"source_name": "FireEye FIN7 March 2017", "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.", "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html"}, {"source_name": "IBM Ransomware Trends September 2020", "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.", "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2025-03-12T20:33:21.597Z", "name": "Wizard Spider", "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "aliases": ["Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193"], "x_mitre_deprecated": false, "x_mitre_version": "4.0", "x_mitre_contributors": ["Edward Millington", "Oleksiy Gayda"], "type": "intrusion-set", "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "created": "2020-05-12T18:15:29.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0102", "external_id": "G0102"}, {"source_name": "Grim Spider", "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)"}, {"source_name": "UNC1878", "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)"}, {"source_name": "TEMP.MixMaster", "description": "(Citation: FireEye Ryuk and Trickbot January 2019)"}, {"source_name": "ITG23", "description": "(Citation: IBM X-Force ITG23 Oct 2021)"}, {"source_name": "FIN12", "description": "(Citation: Mandiant FIN12 Oct 2021)"}, {"source_name": "Periwinkle Tempest", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "DEV-0193", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "GOLD BLACKBURN", "description": "(Citation: Secureworks Gold Blackburn Mar 2022)"}, {"source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"}, {"source_name": "FireEye Ryuk and Trickbot January 2019", "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"}, {"source_name": "CrowdStrike Ryuk January 2019", "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"}, {"source_name": "CrowdStrike Grim Spider May 2019", "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/"}, {"source_name": "FireEye KEGTAP SINGLEMALT October 2020", "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "CrowdStrike Wizard Spider October 2020", "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/"}, {"source_name": "Secureworks Gold Blackburn Mar 2022", "description": "Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.", "url": "https://www.secureworks.com/research/threat-profiles/gold-blackburn"}, {"source_name": "Mandiant FIN12 Oct 2021", "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.", "url": "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf"}, {"source_name": "IBM X-Force ITG23 Oct 2021", "description": "Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.", "url": "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-17T16:13:43.697Z", "name": "TEMP.Veles", "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", "aliases": ["TEMP.Veles", "XENOTIME"], "x_mitre_deprecated": false, "x_mitre_version": "1.4", "x_mitre_contributors": ["Dragos Threat Intelligence"], "type": "intrusion-set", "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "created": "2019-04-16T15:14:38.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0088", "external_id": "G0088"}, {"source_name": "TEMP.Veles", "description": "(Citation: FireEye TRITON 2019)"}, {"source_name": "Dragos Xenotime 2018", "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", "url": "https://dragos.com/resource/xenotime/"}, {"source_name": "FireEye TEMP.Veles 2018", "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html"}, {"source_name": "FireEye TRITON 2019", "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html"}, {"source_name": "FireEye TEMP.Veles JSON April 2019", "description": "Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.", "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html"}, {"source_name": "Pylos Xenotime 2019", "description": "Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.", "url": "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/"}, {"source_name": "XENOTIME", "description": "The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609).(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:23.639Z", "name": "Network Connection Creation", "description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.", "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:03.268Z", "name": "Windows Registry Key Deletion", "description": "The removal of a registry key within the Windows operating system.\n\n*Data Collection Measures:*\n\n- Windows Event Logs\n - Event ID 4658 - Registry Key Handle Closed: Captures when a handle to a registry key is closed, which may indicate deletion.\n - Event ID 4660 - Object Deleted: Logs when a registry key is deleted.\n- Sysmon (System Monitor) for Windows\n - Sysmon Event ID 12 - Registry Key Deleted: Logs when a registry key is removed.\n - Sysmon Event ID 13 - Registry Value Deleted: Captures removal of specific registry values.\n- Endpoint Detection and Response (EDR) Solutions\n - Monitor registry deletions for suspicious behavior.", "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:36.536Z", "name": "Drive Creation", "description": "The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples: \n\n- USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter `E:\\` on a Windows machine.\n- Network Drive Mapping: A network share `\\\\server\\share` is mapped to the drive `Z:\\`.\n- Virtual Drive Creation: A virtual disk is mounted on `/mnt/virtualdrive` using an ISO image or a virtual hard disk (VHD).\n- Cloud Storage Mounting: Google Drive is mounted as `G:\\` on a Windows machine using a cloud sync tool.\n- External Storage Integration: An external HDD or SSD is connected and assigned `/mnt/external` on a Linux system.\n\nThis data component can be collected through the following measures:\n\nWindows Event Logs\n\n- Relevant Events:\n - Event ID 98: Logs the creation of a volume (mount or new drive letter assignment).\n - Event ID 1006: Logs removable storage device insertions.\n- Configuration: Enable \"Removable Storage Events\" in the Group Policy settings:\n`Computer Configuration > Administrative Templates > System > Removable Storage Access`\n\nLinux System Logs\n\n- Command-Line Monitoring: Use `dmesg` or `journalctl` to monitor mount events.\n\n- Auditd Configuration: Add audit rules to track mount points.\n- Logs can be reviewed in /var/log/audit/audit.log.\n\nmacOS System Logs\n\n- Unified Logs: Monitor system logs for mount activity:\n- Command-Line Tools: Use `diskutil list` to verify newly created or mounted drives.\n\nEndpoint Detection and Response (EDR) Tools\n\n- EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events.\n\nSIEM Tools\n\n- Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities.", "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:52.606Z", "name": "Firmware Modification", "description": "Changes made to firmware, which may include its settings, configurations, or underlying data. This can encompass alterations to the Master Boot Record (MBR), Volume Boot Record (VBR), or other firmware components critical to system boot and functionality. Such modifications are often indicators of adversary activity, including malware persistence and system compromise. Examples: \n\n- Changes to Master Boot Record (MBR): Modifying the MBR to load malicious code during the boot process.\n- Changes to Volume Boot Record (VBR): Altering the VBR to redirect boot processes to malicious locations.\n- Firmware Configuration Changes: Modifying BIOS/UEFI settings such as disabling Secure Boot.\n- Firmware Image Tampering: Updating firmware with a malicious or unauthorized image.\n- Logs or Errors Indicating Firmware Changes: Logs showing unauthorized firmware updates or checksum mismatches.\n\nThis data component can be collected through the following measures:\n\n- BIOS/UEFI Logs: Enable and monitor BIOS/UEFI logs to capture settings changes or firmware updates.\n- Firmware Integrity Monitoring: Use tools or firmware security features to detect changes to firmware components.\n- Endpoint Detection and Response (EDR) Solutions: Many EDR platforms can detect abnormal firmware activity, such as changes to MBR/VBR or unauthorized firmware updates.\n- File System Monitoring: Monitor changes to MBR/VBR-related files using tools like Sysmon or auditd.\n - Windows Example (Sysmon): Monitor Event ID 7 (Raw disk access).\n - Linux Example (auditd): `auditctl -w /dev/sda -p wa -k firmware_modification`\n- Network Traffic Analysis: Capture firmware updates downloaded over the network, particularly from untrusted sources. Use network monitoring tools like Zeek or Wireshark to analyze firmware-related traffic.\n- Secure Boot Logs: Collect and analyze Secure Boot logs for signs of tampering or unauthorized configurations. Example: Use PowerShell to retrieve Secure Boot settings on Windows: `Confirm-SecureBootUEFI`\n- Vendor-Specific Firmware Tools: Many hardware vendors provide tools for firmware integrity checks.Examples:\n - Intel Platform Firmware Resilience (PFR).\n - Lenovo UEFI diagnostics.", "x_mitre_data_source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:21.434Z", "name": "File Deletion", "description": "Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.\n\nThis data component can be collected through the following measures:\n\nWindows\n\n- Sysmon: Event ID 23: Logs file deletion events, including details such as file paths and responsible processes.\n- Windows Event Log: Enable \"Object Access\" auditing to monitor file deletions.\n- PowerShell: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Message -like '*DELETE*'}`\n\nLinux\n\n- Auditd: Use audit rules to capture file deletion events: `auditctl -a always,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_deletion`\n- Query logs: `ausearch -k file_deletion`\n- Inotify: Use inotifywait to monitor file deletions: `inotifywait -m /path/to/watch -e delete`\n\nmacOS\n\n- Endpoint Security Framework (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to capture file deletion activities.\n- FSEvents: Track file deletion activities in real-time: `fs_usage | grep unlink`\n\nSIEM Integration\n\n- Forward file deletion logs to a SIEM for centralized monitoring and correlation with other events.\n", "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:40.267Z", "name": "Scheduled Job Modification", "description": "Changes made to an existing scheduled job, including modifications to its execution parameters, command payload, or execution timing.", "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-11-17T14:59:25.749Z", "name": "FIN6", "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", "aliases": ["FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest"], "x_mitre_deprecated": false, "x_mitre_version": "4.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)", "Drew Church, Splunk"], "type": "intrusion-set", "id": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "created": "2017-05-31T21:32:06.015Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0037", "external_id": "G0037"}, {"source_name": "Skeleton Spider", "description": "(Citation: Crowdstrike Global Threat Report Feb 2018)"}, {"source_name": "FIN6", "description": "(Citation: FireEye FIN6 April 2016)"}, {"source_name": "TAAL", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "Camouflage Tempest", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "Magecart Group 6", "description": "(Citation: Security Intelligence ITG08 April 2020)"}, {"source_name": "ITG08", "description": "(Citation: Security Intelligence More Eggs Aug 2019)"}, {"source_name": "Crowdstrike Global Threat Report Feb 2018", "description": "CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.", "url": "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report"}, {"source_name": "FireEye FIN6 April 2016", "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20190807112824/https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"}, {"source_name": "FireEye FIN6 Apr 2019", "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "Security Intelligence ITG08 April 2020", "description": "Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.", "url": "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/"}, {"source_name": "Security Intelligence More Eggs Aug 2019", "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.", "url": "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:57.700Z", "name": "Service Modification", "description": "Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.\n\n*Data Collection Measures: *\n\n- Windows Event Logs\n - Event ID 7040 - Detects modifications to the startup behavior of a service.\n - Event ID 7045 - Can capture changes made to existing services.\n - Event ID 7036 - Tracks when services start or stop, potentially indicating malicious tampering.\n - Event ID 4697 - Can detect when an adversary reinstalls a service with different parameters.\n- Sysmon Logs\n - Sysmon Event ID 13 - Detects changes to service configurations in the Windows Registry (e.g., `HKLM\\SYSTEM\\CurrentControlSet\\Services\\`).\n - Sysmon Event ID 1 - Can track execution of `sc.exe` or `PowerShell Set-Service`.\n- PowerShell Logging\n - Event ID 4104 (Script Block Logging) - Captures execution of commands like `Set-Service`, `New-Service`, or `sc config`.\n - Command-Line Logging (Event ID 4688) - Tracks usage of service modification commands:\n - `sc config start= auto` \n - `sc qc ` \n- Linux/macOS Collection Methods\n - Systemd Journals (`journalctl -u `) Tracks modifications to systemd service configurations.\n - Daemon Logs (`/var/log/syslog`, `/var/log/messages`, `/var/log/daemon.log`) Captures changes to service state and execution parameters.\n - AuditD Rules for Service Modification \n - Monitor modifications to `/etc/systemd/system/` for new or altered service unit files: `auditctl -w /etc/systemd/system/ -p wa -k service_modification`\n - Track execution of `systemctl` or `service` commands: `auditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl -F key=service_mod`\n - OSQuery for Linux/macOS Monitoring\n - Query modified services using OSQuery\u2019s `processes` or `system_info` tables: `SELECT * FROM systemd_units WHERE state != 'running';`\n - macOS Launch Daemon/Agent Modification\n - Monitor for changes in:\n - `/Library/LaunchDaemons/`\n - `/Library/LaunchAgents/`\n - Track modifications to `.plist` files indicating persistence attempts.", "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "intrusion-set", "id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", "created": "2020-09-22T19:41:27.845Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0115", "external_id": "G0115"}, {"source_name": "Pinchy Spider", "description": "(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)"}, {"source_name": "Secureworks REvil September 2019", "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware"}, {"source_name": "CrowdStrike Evolution of Pinchy Spider July 2021", "description": "Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.", "url": "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/"}, {"source_name": "Secureworks GandCrab and REvil September 2019", "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.", "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection"}, {"source_name": "Secureworks GOLD SOUTHFIELD", "description": "Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/gold-southfield"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:37:38.397Z", "name": "GOLD SOUTHFIELD", "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)", "aliases": ["GOLD SOUTHFIELD", "Pinchy Spider"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Thijn Bukkems, Amazon"]}, {"modified": "2025-01-22T21:54:11.727Z", "name": "APT38", "description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", "aliases": ["APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM"], "x_mitre_deprecated": false, "x_mitre_version": "3.1", "x_mitre_contributors": ["Hiroki Nagahama, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India"], "type": "intrusion-set", "id": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "created": "2019-01-29T21:27:24.793Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0082", "external_id": "G0082"}, {"source_name": "BeagleBoyz", "description": "(Citation: CISA AA20-239A BeagleBoyz August 2020)"}, {"source_name": "Stardust Chollima", "description": "(Citation: CrowdStrike Stardust Chollima Profile April 2018)(Citation: CrowdStrike GTR 2021 June 2021)"}, {"source_name": "APT38", "description": "(Citation: FireEye APT38 Oct 2018)"}, {"source_name": "Bluenoroff", "description": "(Citation: Kaspersky Lazarus Under The Hood Blog 2017)"}, {"source_name": "Sapphire Sleet", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "COPERNICIUM", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "NICKEL GLADSTONE", "description": "(Citation: SecureWorks NICKEL GLADSTONE profile Sept 2021)"}, {"source_name": "CrowdStrike GTR 2021 June 2021", "description": "CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021.", "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf"}, {"source_name": "DOJ North Korea Indictment Feb 2021", "description": "Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021.", "url": "https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and"}, {"source_name": "CISA AA20-239A BeagleBoyz August 2020", "description": "DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-239a"}, {"source_name": "FireEye APT38 Oct 2018", "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.", "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf"}, {"source_name": "Kaspersky Lazarus Under The Hood Blog 2017", "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", "url": "https://securelist.com/lazarus-under-the-hood/77908/"}, {"source_name": "CrowdStrike Stardust Chollima Profile April 2018", "description": "Meyers, Adam. (2018, April 6). Meet CrowdStrike\u2019s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021.", "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "SecureWorks NICKEL GLADSTONE profile Sept 2021", "description": "SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021.", "url": "https://www.secureworks.com/research/threat-profiles/nickel-gladstone"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:43.635Z", "name": "Scheduled Job Creation", "description": "The establishment of a task or job that will execute at a predefined time or based on specific triggers.\n\n*Data Collection Measures: *\n\n- Windows Event Logs:\n - Event ID 4698 (Scheduled Task Created) \u2013 Detects the creation of new scheduled tasks.\n - Event ID 4702 (Scheduled Task Updated) \u2013 Identifies modifications to existing scheduled jobs.\n - Event ID 106 (TaskScheduler Operational Log) \u2013 Provides details about scheduled task execution.\n- Sysmon (Windows):\n - Event ID 1 (Process Creation) \u2013 Detects the execution of suspicious tasks started by `schtasks.exe`, `at.exe`, or `taskeng.exe`.\n- Linux/macOS Monitoring:\n - AuditD: Monitor modifications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` files.\n - Syslog: Capture cron job execution logs from `/var/log/cron`.\n - OSQuery: Query the `crontab` and `launchd` tables for scheduled job configurations.\n- Endpoint Detection and Response (EDR) Tools:\n - Track scheduled task creation and modification events.\n- SIEM & XDR Detection Rules:\n - Monitor for scheduled jobs created by unusual users.\n - Detect tasks executing scripts from non-standard directories.", "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0015", "external_id": "DS0015"}, {"source_name": "Confluence Logs", "description": "Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.", "url": "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:39:10.207Z", "name": "Application Log", "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["IaaS", "Linux", "SaaS", "Windows", "macOS", "Office Suite", "ESXi"], "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_collection_layers": ["Cloud Control Plane", "Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0002", "external_id": "DS0002"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:09:38.667Z", "name": "User Account", "description": "A profile representing a user, device, service, or application used to authenticate and access resources", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Containers", "IaaS", "Linux", "SaaS", "Windows", "macOS", "Office Suite", "Identity Provider", "ESXi"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Cloud Control Plane", "Container", "Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0033", "external_id": "DS0033"}, {"source_name": "Microsoft NFS Overview", "description": "Microsoft. (2018, July 9). Network File System overview. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:09:58.319Z", "name": "Network Share", "description": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Linux", "Windows", "macOS"], "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0022", "external_id": "DS0022"}, {"source_name": "Microsoft File Mgmt", "description": "Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:04.845Z", "name": "File", "description": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Linux", "Network Devices", "Windows", "macOS", "ESXi"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0009", "external_id": "DS0009"}, {"source_name": "Microsoft Processes and Threads", "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:24.655Z", "name": "Process", "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Linux", "Windows", "macOS", "Android", "iOS", "ESXi"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0019", "external_id": "DS0019"}, {"source_name": "Microsoft Services", "description": "Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications"}, {"source_name": "Linux Services Run Levels", "description": "The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.", "url": "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:47.833Z", "name": "Service", "description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Linux", "Windows", "macOS", "ESXi"], "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", "created": "2022-05-11T16:22:58.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0040", "external_id": "DS0040"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:35.400Z", "name": "Operational Databases", "description": "Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_collection_layers": ["Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0029", "external_id": "DS0029"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:13.424Z", "name": "Network Traffic", "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["IaaS", "Linux", "Windows", "macOS", "Android", "iOS", "ESXi"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)", "ExtraHop"], "x_mitre_collection_layers": ["Cloud Control Plane", "Host", "Network"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0017", "external_id": "DS0017"}, {"source_name": "Confluence Linux Command Line", "description": "Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.", "url": "https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html"}, {"source_name": "Audit OSX", "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.", "url": "https://www.scip.ch/en/?labs.20150108"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:26.880Z", "name": "Command", "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Containers", "Linux", "Network Devices", "Windows", "macOS", "Android", "iOS", "ESXi"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)", "Austin Clark, @c2defense"], "x_mitre_collection_layers": ["Container", "Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0003", "external_id": "DS0003"}, {"source_name": "Microsoft Tasks", "description": "Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:33.637Z", "name": "Scheduled Job", "description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Containers", "Linux", "Windows", "macOS", "ESXi"], "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Container", "Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", "created": "2022-05-11T16:22:58.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0039", "external_id": "DS0039"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:26:35.809Z", "name": "Asset", "description": "Data sources with information about the set of devices found within the network, along with their current software and configurations", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_collection_layers": ["Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0024", "external_id": "DS0024"}, {"source_name": "Microsoft Registry", "description": "Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:39:08.970Z", "name": "Windows Registry", "description": "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows"], "x_mitre_domains": ["enterprise-attack", "ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_collection_layers": ["Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0011", "external_id": "DS0011"}, {"source_name": "Microsoft LoadLibrary", "description": "Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya"}, {"source_name": "Microsoft Module Class", "description": "Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:13.134Z", "name": "Module", "description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Linux", "Windows", "macOS"], "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0028", "external_id": "DS0028"}, {"source_name": "Microsoft Audit Logon Events", "description": "Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:19.778Z", "name": "Logon Session", "description": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["IaaS", "Linux", "SaaS", "Windows", "macOS", "Office Suite", "Identity Provider", "ESXi"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Cloud Control Plane", "Host", "Network"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0016", "external_id": "DS0016"}, {"source_name": "Sysmon EID 9", "description": "Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.", "url": "https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:29.888Z", "name": "Drive", "description": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Linux", "Windows", "macOS"], "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0012", "external_id": "DS0012"}, {"source_name": "FireEye PowerShell Logging", "description": "Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html"}, {"source_name": "Microsoft AMSI", "description": "Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"}, {"source_name": "Microsoft PowerShell Logging", "description": "Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:42.967Z", "name": "Script", "description": "A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Windows", "ESXi"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", "created": "2021-10-20T15:05:19.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0001", "external_id": "DS0001"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:12:49.401Z", "name": "Firmware", "description": "Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Linux", "Windows", "macOS"], "x_mitre_domains": ["ics-attack", "enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Host"]}, {"type": "intrusion-set", "id": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", "created": "2018-01-16T16:13:52.465Z", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0057", "external_id": "G0057"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T17:59:29.085Z", "name": "APT34", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["ics-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-04-10T18:39:36.997Z", "name": "CyberAv3ngers", "description": "The [CyberAv3ngers](https://attack.mitre.org/groups/G1027) are a suspected Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT group. The [CyberAv3ngers](https://attack.mitre.org/groups/G1027) have been known to be active since at least 2020, with disputed and false claims of critical infrastructure compromises in Israel.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)\n\nIn 2023, the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) engaged in a global targeting and hacking of the Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) with [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). This PLC can be found in multiple sectors, including water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the devices user interface.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)", "aliases": ["CyberAv3ngers", "Soldiers of Soloman"], "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "intrusion-set", "id": "intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa", "created": "2024-03-25T19:57:07.829Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1027", "external_id": "G1027"}, {"source_name": "Soldiers of Soloman", "description": "CyberAv3ngers reportedly has connections to the IRGC-linked group Soldiers of Solomon.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)"}, {"source_name": "CISA AA23-335A IRGC-Affiliated December 2023", "description": "DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["ics-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "relationship", "id": "relationship--007a2c53-fc5c-4750-aff0-defb282e178a", "created": "2023-09-29T16:30:30.829Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:49.087Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--00b98fa6-4913-40a4-8920-befed8621c41", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:49.334Z", "description": "Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--00b9e63b-57a7-408e-83d6-fc03535010a6", "created": "2023-09-27T14:39:33.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:49.547Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used Valid Accounts taken from the Windows Domain Controller to access the control system Virtual Private Network (VPN) used by grid operators. (Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:49.763Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--011f1d16-c9f1-48ac-94f1-165466c155f8", "created": "2023-09-29T18:43:33.176Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:49.972Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd", "created": "2023-09-29T16:30:58.431Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:50.177Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--01335508-22bb-4185-a7e2-49ec9bee6423", "created": "2023-09-28T20:15:20.293Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:50.425Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--01b4a92f-da42-4dfa-8d59-53709b65940e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:50.644Z", "description": "Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0", "created": "2023-09-29T18:42:27.894Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:50.855Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124", "created": "2023-09-29T18:55:47.037Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:51.055Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50", "created": "2023-09-29T17:42:44.516Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:51.276Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0278ddbc-67d5-444d-8082-bf9974dee920", "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:51.476Z", "description": "Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:51.718Z", "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c", "created": "2023-09-29T17:59:31.091Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:51.927Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--033b4401-261f-498b-89f3-2bad9ff5907a", "created": "2023-09-29T17:58:15.338Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:52.127Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:52.331Z", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57", "created": "2023-09-29T16:29:03.438Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:52.555Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022", "created": "2022-09-27T17:39:15.655Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:52.840Z", "description": "Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--03b4dae7-3b20-4ea9-9f7c-6c97582f98b7", "created": "2024-03-28T14:33:00.899Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Triton-EENews-2017", "description": "Blake Sobczak. (2019, March 7). The inside story of the world\u2019s most dangerous malware. Retrieved March 25, 2024.", "url": "https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:53.062Z", "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) changed phone numbers tied to certain specific accounts in a designated contact list. They then used the changed phone numbers to redirect network traffic to websites controlled by them, thereby allowing them to capture and use any login codes sent to the devices via text message.(Citation: Triton-EENews-2017)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:53.312Z", "description": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91", "created": "2023-03-30T19:00:12.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:53.533Z", "description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)", "relationship_type": "mitigates", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361", "created": "2023-09-29T17:40:34.866Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:53.760Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--042243fd-bfe0-4961-96de-a36232d3ff74", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Symantec Security Response July 2014", "description": "Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ", "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries."}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:53.964Z", "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) or [Trojan.Karagany](https://attack.mitre.org/software/S0094). (Citation: Symantec Security Response July 2014)", "relationship_type": "uses", "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--04882fef-2a6b-40d0-a101-da9c76a3572e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:54.170Z", "description": "Restrict the use of untrusted or unknown libraries, such as remote or unknown DLLs.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0491ef92-2941-4841-9fe6-2e1809788b52", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:54.429Z", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863", "created": "2023-09-28T20:29:11.776Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:54.635Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--04bf72de-75ba-4d95-ad24-f93ad835180c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:54.883Z", "description": "[KillDisk](https://attack.mitre.org/software/S0607) erases the master boot record (MBR) and system logs, leaving the system unusable. (Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:55.092Z", "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--052552e9-eac0-4b37-9df8-2e921053e305", "created": "2023-03-30T19:05:17.003Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:55.318Z", "description": "Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--058396ca-3af4-444b-b261-74485c47e68c", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:55.517Z", "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", "relationship_type": "uses", "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--064dfd6f-db5d-48e8-b350-9dd47a270911", "created": "2022-09-28T20:22:09.916Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA-AA22-103A", "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:55.721Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely read the OCP UA structure from devices.(Citation: CISA-AA22-103A) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--06782c99-93de-4db9-9c30-6f96aef894d2", "created": "2023-03-30T19:06:49.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:55.947Z", "description": "Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--067932c3-0011-4ca2-9bbe-721c631e4e41", "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html"}, {"source_name": "ICS-CERT August 2018", "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:56.182Z", "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "relationship_type": "uses", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:56.445Z", "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--06f15629-d050-434a-aed1-3bb3f90c97b2", "created": "2022-09-27T15:22:37.864Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Elastic - Koadiac Detection with EQL", "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.", "url": "https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:56.652Z", "description": "Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL) For added context on adversary procedures and background see [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:56.882Z", "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages over serial COM ports are blocked.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e", "created": "2023-09-28T21:28:51.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:57.095Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--076bfea6-309e-4804-a147-dffe93983481", "created": "2023-09-28T20:16:17.295Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:57.327Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--07c0e166-f05e-413f-8f3e-f487317c9626", "created": "2023-03-22T15:53:59.953Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:57.527Z", "description": "Devices and programs that receive command messages from remote systems (e.g., control servers) should verify those commands before taking any actions on them.", "relationship_type": "mitigates", "source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--07e06d21-e666-4274-838a-ef9996fdc0cd", "created": "2023-09-28T20:05:45.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:57.749Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44", "created": "2023-09-29T16:47:20.192Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:57.964Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--07f4d65d-4572-450f-8cb2-908fee97bd67", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:58.167Z", "description": "Application control may be able to prevent the running of executables masquerading as other files.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--08302021-aacf-428f-a0ce-e1034d925fb0", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:58.381Z", "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--088580e9-ccea-426e-9411-c1de60de650d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:58.605Z", "description": "Devices should authenticate all messages between master and outstation assets.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:58.858Z", "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0951222a-42d1-4635-bb12-5285bc6500e0", "created": "2023-09-28T20:15:45.244Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:59.066Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--095456bc-898b-4c76-a062-ff0ea90aeab4", "created": "2023-09-28T21:25:05.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:59.310Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--096c3136-dac9-4729-98c0-c8d870f2bd13", "created": "2023-09-28T19:42:01.055Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:59.533Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--09977105-562f-4f45-a151-27a11a18031e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:59.755Z", "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--09e0c991-1707-431b-a0fd-fd8215e6d552", "created": "2023-09-28T20:30:12.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:00:59.961Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6", "created": "2023-09-28T19:53:56.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:00.211Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:00.433Z", "description": "Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0a421699-f013-49f4-9d9f-01d95d210510", "created": "2023-09-28T19:37:25.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:00.654Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a", "created": "2023-09-29T17:38:04.048Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:00.869Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:01.074Z", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91", "created": "2023-10-02T20:23:11.865Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:01.311Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42", "created": "2023-09-28T19:59:10.561Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:01.508Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f", "created": "2023-09-28T21:22:48.239Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:01.731Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0b7f643e-8975-4998-acbb-7405fa944a68", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:01.935Z", "description": "Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b", "created": "2023-09-29T18:46:22.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:02.137Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016", "created": "2023-09-28T20:10:34.479Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:02.390Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Jacqueline O'Leary et al. September 2017", "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"}, {"source_name": "Junnosuke Yagi March 2017", "description": "Junnosuke Yagi 2017, March 07 Trojan.Stonedrill Retrieved. 2019/12/05 ", "url": "https://www.symantec.com/security-center/writeup/2017-030708-4403-99"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:02.594Z", "description": "[APT33](https://attack.mitre.org/groups/G0064) utilize backdoors capable of capturing screenshots once installed on a system. (Citation: Jacqueline O'Leary et al. September 2017)(Citation: Junnosuke Yagi March 2017)", "relationship_type": "uses", "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", "url": "https://securelist.com/bad-rabbit-ransomware/82851/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:02.827Z", "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", "relationship_type": "uses", "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0c284ce0-0be2-4164-b686-7c383b246aec", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET Research Whitepapers September 2018", "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf"}, {"source_name": "Intel", "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf"}, {"source_name": "N/A", "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:03.032Z", "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a", "created": "2022-09-27T15:49:26.908Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:03.264Z", "description": "Monitor asset application logs for information that indicate task parameters have changed.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0c72593d-fcc6-4023-8771-bed5e243310e", "created": "2023-09-28T21:24:37.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:03.462Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:03.714Z", "description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8", "created": "2023-09-28T19:51:27.775Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:03.908Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0d305450-d5ca-46fe-8583-36c983dd0a88", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:04.114Z", "description": "Monitor ICS management protocols for functions that change an asset\u2019s operating mode.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0d4f2f88-e176-42c7-8258-52b345045662", "created": "2022-09-28T20:29:51.844Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA-AA22-103A", "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:04.329Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely send commands to a malicious agent uploaded on Omron PLCs over HTTP or HTTPS.(Citation: CISA-AA22-103A) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0d52eea3-394e-492b-944b-9ccb6348329d", "created": "2023-09-28T21:14:41.633Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:04.553Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0d540b53-6a5d-4f56-9dee-47707443b149", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:04.765Z", "description": "Monitor ICS automation network protocols for functions related to reading an operational process state (e.g., \u201cRead\u201d function codes in protocols like DNP3 or Modbus). In some cases, there may be multiple ways to monitor an operational process\u2019 state, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0d563cbc-b22c-4748-b082-db98bb7f0dab", "created": "2024-11-20T23:08:24.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos FROSTYGOOP 2024", "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"}, {"source_name": "Nozomi BUSTLEBERM 2024", "description": "Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024.", "url": "https://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:04.991Z", "description": "[FrostyGoop](https://attack.mitre.org/software/S1165) allows for the modification of system settings by reading and writing to registers via Modbus commands.(Citation: Dragos FROSTYGOOP 2024)(Citation: Nozomi BUSTLEBERM 2024)", "relationship_type": "uses", "source_ref": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0d8e0324-ba8e-4712-a123-60377afe94da", "created": "2023-09-29T18:48:17.073Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:05.201Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136", "created": "2023-09-29T17:57:12.010Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:05.408Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc", "created": "2022-09-26T14:27:28.370Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:05.617Z", "description": "Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0df0cb6d-0067-48b2-a33e-495415713ab7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:05.825Z", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81", "created": "2024-04-09T20:58:17.933Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:06.044Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954", "created": "2023-09-29T16:27:50.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:06.275Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0e275c19-7688-47f8-8cd5-85eaacec465b", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:06.504Z", "description": "Monitor industrial process history data for events that correspond with command message functions, such as setpoint modification or changes to system status for key devices. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:06.755Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:06.954Z", "description": "Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos", "description": "Dragos Allanite Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/allanite/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:07.197Z", "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized credentials collected through phishing and watering hole attacks. (Citation: Dragos)", "relationship_type": "uses", "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29", "created": "2023-09-29T17:57:34.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:07.422Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Andy Greenburg June 2019", "description": "Andy Greenburg 2019, June 20 Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount Retrieved. 2020/01/03 ", "url": "https://www.wired.com/story/iran-hackers-us-phishing-tensions/"}, {"source_name": "Jacqueline O'Leary et al. September 2017", "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:07.639Z", "description": "[APT33](https://attack.mitre.org/groups/G0064) sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. (Citation: Jacqueline O'Leary et al. September 2017) [APT33](https://attack.mitre.org/groups/G0064) has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. (Citation: Andy Greenburg June 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0f5295ce-d705-4541-8dda-c569b126d103", "created": "2023-10-02T20:24:03.723Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:07.855Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72", "created": "2023-09-29T17:09:11.210Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:08.076Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:08.311Z", "description": "Devices should authenticate all messages between master and outstation assets.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:08.518Z", "description": "Ensure proper network segmentation between higher level corporate resources and the control process environment.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:08.728Z", "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:08.938Z", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--10626671-941d-4a82-a835-56059058ef87", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:09.172Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--106530e1-375a-4ac4-befb-8297b3b05610", "created": "2023-09-29T18:55:58.199Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:09.431Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--107d9a23-991b-44f5-97f6-7f6983c7013a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:09.650Z", "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--10e87e4b-a231-42e3-a011-0031f8226936", "created": "2022-09-26T17:15:51.819Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:09.874Z", "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:10.104Z", "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if reporting messages are blocked. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--111f437a-c67d-40e4-9515-7e9b22e65eff", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Microsoft May 2017", "description": "Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 ", "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft"}, {"source_name": "Microsoft August 2018", "description": "Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 ", "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models"}, {"source_name": "Microsoft February 2019", "description": "Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 ", "url": "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:10.323Z", "description": "Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. (Citation: Microsoft May 2017) (Citation: Microsoft August 2018)These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft February 2019)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--11840b30-f0d1-4df5-a960-cdb80749c32a", "created": "2023-09-29T17:07:25.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:10.529Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--11a82651-4d69-4738-89c6-17d0243cbbb0", "created": "2023-09-29T17:37:26.536Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:10.753Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:10.974Z", "description": "Program uploads may be observable in ICS management protocols or file transfer protocols. Note when protocol functions related to program uploads occur. In cases where the ICS protocols is not well understood, one option is to examine network traffic for the program files themselves using signature-based tools.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab", "created": "2021-04-13T12:28:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Ben Hunter and Fred Gutierrez July 2020", "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems"}, {"source_name": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020", "description": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ", "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:11.177Z", "description": "Before encrypting the process, [EKANS](https://attack.mitre.org/software/S0605) first kills the process if its name matches one of the processes defined on the kill-list. (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. (Citation: Ben Hunter and Fred Gutierrez July 2020)", "relationship_type": "uses", "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--128de3f9-df58-4122-9523-0ac65a6ebf71", "created": "2023-09-29T17:45:20.237Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:11.438Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:11.643Z", "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693", "created": "2022-03-09T23:42:34.056Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Secureworks IRON VIKING ", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:57:44.250Z", "description": "(Citation: Secureworks IRON VIKING )", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:11.964Z", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4", "created": "2023-09-28T21:13:23.057Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:12.182Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--12e84466-fb05-4d55-9220-5933ee0fcb43", "created": "2024-11-20T23:16:42.816Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos FROSTYGOOP 2024", "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:12.437Z", "description": "[FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041) used [FrostyGoop](https://attack.mitre.org/software/S1165) to manipulate OT devices to induce a district heating disruption in Ukraine.(Citation: Dragos FROSTYGOOP 2024)", "relationship_type": "uses", "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f", "target_ref": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36", "created": "2023-09-28T19:39:58.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:12.635Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f", "created": "2022-09-26T18:41:48.947Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:12.863Z", "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--13809e98-1d74-4c39-b882-9d523c76cbde", "created": "2021-04-13T12:36:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:13.098Z", "description": "[Triton](https://attack.mitre.org/software/S1009)'s imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. (Citation: Jos Wetzels January 2018)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:13.314Z", "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--13d76624-7049-45c5-94d3-8f172b7f6336", "created": "2023-09-27T14:48:58.922Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:13.517Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) established an internal proxy prior to the installation of backdoors within the network. (Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:13.729Z", "description": "Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6", "created": "2023-10-02T20:24:12.666Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:13.959Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc", "created": "2023-09-29T16:32:33.078Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:14.173Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:14.383Z", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495", "created": "2023-09-29T16:40:06.079Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:14.631Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--15188683-7ded-4578-9102-73459ecbe095", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:14.875Z", "description": "Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host\u2019s GUI.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a", "created": "2023-09-28T19:47:25.303Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:15.092Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--154de746-5ea2-43b4-97b2-221b2433cbde", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:15.316Z", "description": "Monitor ICS automation network protocols for information that an asset has been placed into Firmware Update Mode.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--159fb736-ba92-4564-aa6d-db6f64497763", "created": "2023-09-28T20:25:59.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:15.566Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--15a39e3b-124e-4e68-95b5-7b8020225c12", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:15.768Z", "description": "Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1673b2e2-7799-4b5f-b5a9-2c51426a6916", "created": "2024-03-25T20:10:21.706Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Jamie Tarabay and Katrina Manson December 2023", "description": "Jamie Tarabay and Katrina Manson. (2023, December 22). Iranian-Linked Hacks Expose Failure to Safeguard US Water System. Retrieved March 25, 2024.", "url": "https://www.bloomberg.com/news/articles/2023-12-22/iranian-linked-hacks-expose-failure-to-safeguard-us-water-system"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:15.976Z", "description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) caused multiple businesses to halt operations due to the unavailability of the [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) and [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). These victims covered multiple sectors.(Citation: Jamie Tarabay and Katrina Manson December 2023)", "relationship_type": "uses", "source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b", "created": "2023-09-28T20:06:03.889Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:16.202Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4", "created": "2023-09-29T18:48:52.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:16.427Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--16c7240e-0559-4c49-9003-1bfe97074252", "created": "2024-04-09T21:02:28.446Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:16.647Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d", "created": "2023-03-30T18:57:58.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Symantec", "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", "url": "https://docs.broadcom.com/doc/w32-duqu-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:16.873Z", "description": "[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data from local systems. The modules are named: infostealer 1, infostealer 2 and reconnaissance. (Citation: Symantec)", "relationship_type": "uses", "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749", "created": "2023-09-29T17:05:30.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:17.069Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:17.318Z", "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa", "created": "2023-10-02T20:18:01.546Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:17.536Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab", "created": "2023-09-29T17:45:45.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:17.759Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--17fdec71-98e8-4314-a1be-037edede58bd", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:17.963Z", "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1865830b-511d-4302-99f7-6143647a8e40", "created": "2023-10-02T20:23:52.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:18.192Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--18ab56e8-79ce-481d-9ab4-e558fbfb5ac5", "created": "2024-03-25T20:08:41.065Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA AA23-335A IRGC-Affiliated December 2023", "description": "DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"}, {"source_name": "CISA Unitronics November 2023", "description": "DHS/CISA. (2023, November 28). Exploitation of Unitronics PLCs used in Water and Wastewater Systems. Retrieved March 25, 2024.", "url": "https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems"}, {"source_name": "Frank Bajak and Marc Levy December 2023", "description": "Frank Bajak and Marc Levy. (2023, December 2). Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say. Retrieved March 25, 2024.", "url": "https://apnews.com/article/hackers-iran-israel-water-utilities-critical-infrastructure-cisa-554b2aa969c8220016ab2ef94bd7635b"}, {"source_name": "Jamie Tarabay and Katrina Manson December 2023", "description": "Jamie Tarabay and Katrina Manson. (2023, December 22). Iranian-Linked Hacks Expose Failure to Safeguard US Water System. Retrieved March 25, 2024.", "url": "https://www.bloomberg.com/news/articles/2023-12-22/iranian-linked-hacks-expose-failure-to-safeguard-us-water-system"}, {"source_name": "WPXI Aliquippa Water November 2023", "description": "WPXI. (2023, November 27). Officials investigating cyberattack on Municipal Water Authority of Aliquippa. Retrieved March 25, 2024.", "url": "https://www.wpxi.com/news/local/officials-investigating-cyberattack-municipal-water-authority-aliquippa/K5A3BEW35RAXJPMNHNE35RZ7WA/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:18.419Z", "description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) defaced controllers\u2019 [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002), which prevented multiple entities from being able to operate their devices normally.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: CISA Unitronics November 2023)(Citation: Jamie Tarabay and Katrina Manson December 2023)(Citation: Frank Bajak and Marc Levy December 2023) Additionally, the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) caused a communications failure in a remote pumping station.(Citation: WPXI Aliquippa Water November 2023)", "relationship_type": "uses", "source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--18af193c-160a-4cae-9078-4d69de5c2347", "created": "2023-09-29T18:56:21.340Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:18.630Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75", "created": "2023-09-29T18:02:01.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:18.861Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--18ef2d69-d11a-4d31-a803-da989c4073f7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:19.081Z", "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--193c3cd3-0b22-4839-a1fa-413aee61e882", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:19.315Z", "description": "Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--19ab6776-42de-48af-975a-568d31a3bb66", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}, {"source_name": "N/A", "description": "N/A Department of Homeland Security 2016, September Retrieved. 2020/09/25 Alarm Management for Process Control Retrieved. 2020/09/25 ", "url": "https://www.exida.com/images/uploads/18492275-Alarm-Management-for-Process-Control.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:19.534Z", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016) (Citation: N/A)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348", "created": "2022-09-28T21:18:55.279Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA-AA22-103A", "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:19.765Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can send custom Modbus commands to write register values on Schneider PLCs.(Citation: CISA-AA22-103A) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can send write tag values on OPC UA servers.(Citation: CISA-AA22-103A) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c", "created": "2023-09-28T20:11:23.956Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:19.981Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826", "created": "2023-09-28T21:13:49.529Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:20.204Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0", "created": "2023-10-02T20:18:45.122Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:20.422Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:20.632Z", "description": "Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1a900ac4-c150-4b57-a899-990854b01d4b", "created": "2023-09-29T16:33:50.423Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:20.874Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356", "created": "2023-09-29T18:57:45.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:21.089Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d", "created": "2023-09-28T20:09:21.736Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:21.309Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1aa02c37-973e-46bd-ab45-609463e514e9", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:21.511Z", "description": "If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1acc3a43-2961-4e4c-a237-f426a2df6be5", "created": "2024-03-25T20:05:52.868Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA AA23-335A IRGC-Affiliated December 2023", "description": "DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"}, {"source_name": "CISA Unitronics November 2023", "description": "DHS/CISA. (2023, November 28). Exploitation of Unitronics PLCs used in Water and Wastewater Systems. Retrieved March 25, 2024.", "url": "https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:21.720Z", "description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) discovered and exploited default credentials found on many Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). For many of these devices, the default password was set to \u20181111\u2019.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: CISA Unitronics November 2023)", "relationship_type": "uses", "source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1acccbe8-64e1-49ad-87df-215d5c87f050", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:21.946Z", "description": "Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185", "created": "2023-09-29T18:01:06.725Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:22.157Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d", "created": "2024-09-11T22:51:15.202Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Claroty Fuxnet 2024", "description": "Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.", "url": "https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:22.366Z", "description": "[Fuxnet](https://attack.mitre.org/software/S1157) execution relied upon accessing Internet-accessible devices for initial access and deployment.(Citation: Claroty Fuxnet 2024)", "relationship_type": "uses", "source_ref": "malware--931e2489-8078-4f9f-85b2-a9211950e75b", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5", "created": "2023-09-29T17:43:41.332Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:22.572Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b", "created": "2023-09-29T16:41:44.745Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:22.779Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738", "created": "2023-09-29T18:00:32.581Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:22.979Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:23.181Z", "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1c3d966a-5995-48ed-919d-25b972010fe9", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:23.423Z", "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1c7df4f1-cee5-42c6-a974-29552552666f", "created": "2023-09-28T19:47:08.952Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:23.628Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1c831708-28c2-47ae-a158-39f1f7b73406", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:23.875Z", "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)\n\n[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081", "created": "2023-09-29T18:46:12.052Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:24.077Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1d35c947-447f-4693-9ab0-32dff56e664e", "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:24.315Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) enumerates and parses the System Data Blocks (SDB) using the s7blk_findfirst and s7blk_findnext API calls in s7otbxdx.dll. Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)\n\n[Stuxnet](https://attack.mitre.org/software/S0603) was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1d399f67-090e-444b-b75d-eed4b1780f08", "created": "2022-09-26T18:42:16.844Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:24.532Z", "description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653", "created": "2023-09-29T17:40:22.705Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:24.766Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57", "created": "2023-09-27T13:22:26.752Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:00:48.950Z", "description": "(Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335", "created": "2021-04-13T12:28:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Ben Hunter and Fred Gutierrez July 2020", "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:25.078Z", "description": "[EKANS](https://attack.mitre.org/software/S0605) performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. (Citation: Ben Hunter and Fred Gutierrez July 2020)", "relationship_type": "uses", "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1e6da55a-ab6c-4583-9e20-583f82096497", "created": "2022-09-26T14:40:01.334Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:25.317Z", "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:25.536Z", "description": "Analyze network data for uncommon data flows (e.g., new protocols in use between hosts, unexpected ports in use). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e", "created": "2023-09-28T21:12:25.345Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:25.760Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:25.966Z", "description": "Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f785984-791e-4612-be32-9ee6903a9c0b", "created": "2022-09-28T20:26:09.928Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:26.160Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:26.376Z", "description": "Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f87378c-49fb-4da5-8ed3-3672633d3713", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:26.589Z", "description": "Regularly scan the internal network for available services to identify new and potentially vulnerable services.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f8abf6f-0dd0-4449-b555-733fe7296177", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:26.813Z", "description": "[Triton](https://attack.mitre.org/software/S1009) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. (Citation: Jos Wetzels January 2018)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:27.009Z", "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Implement user accounts for each individual for enforcement and non-repudiation of actions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8", "created": "2023-09-29T17:09:59.595Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:27.268Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Tom Fakterman August 2019", "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:27.469Z", "description": "[REvil](https://attack.mitre.org/software/S0496) initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. (Citation: Tom Fakterman August 2019)", "relationship_type": "uses", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3", "created": "2023-09-28T19:54:37.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:27.677Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459", "created": "2022-09-23T16:35:17.240Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:27.884Z", "description": "Consult asset management systems which may help with the detection of computer systems or network devices that should not exist on a network.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2057ec71-a94f-49cc-b348-2eeb44899afd", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:28.124Z", "description": "Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\\Windows\\System32). ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--206cc4c8-797e-427b-86f1-4c81df391c6e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"}, {"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}, {"source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:28.376Z", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b", "created": "2023-03-30T19:26:19.782Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Industroyer2 Mandiant April 2022", "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks"}, {"source_name": "Industroyer2 Forescout July 2022", "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:28.574Z", "description": "[Industroyer2](https://attack.mitre.org/software/S1072) can iterate across a device\u2019s IOAs to modify the ON/OFF value of a given IO state.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", "relationship_type": "uses", "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:28.816Z", "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--208fe57b-cf2e-4188-8a6f-77597cd60351", "created": "2023-09-29T17:44:43.317Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:29.056Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:29.277Z", "description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--20f66fab-7a08-4707-ac79-92dac5acd11d", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:29.490Z", "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006)'s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "relationship_type": "uses", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--21041206-da58-45c7-adb0-db07caebdcb6", "created": "2021-04-13T12:36:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:29.718Z", "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "relationship_type": "uses", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--21058f32-3d6e-4381-9288-5c2248e84cce", "created": "2023-09-29T18:44:27.240Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:29.950Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--21134484-2d59-46b7-b878-527121fff1e3", "created": "2022-09-26T14:28:17.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:30.175Z", "description": "Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4", "created": "2023-09-28T19:44:53.873Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:30.435Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--21470001-67f2-47cf-af21-784e5024ac1d", "created": "2023-09-29T18:01:22.023Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:30.632Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--214eb531-411c-4b90-9dbf-dc0183cbb919", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:30.857Z", "description": "Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2159458f-87fc-4479-81f4-a2521a378221", "created": "2023-09-28T21:22:09.790Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:31.056Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--21aa6331-3419-4049-b180-8349b71e1f2a", "created": "2023-09-28T21:11:03.947Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:31.273Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:31.501Z", "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to impact data storage. (Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--220140ac-d927-4d86-9335-c04aa6ee3c61", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:31.723Z", "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. (Citation: Keith Stouffer May 2015)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22448288-32d9-4d2c-be16-0784e119fff1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:31.938Z", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22548926-29b4-4882-9878-633375489c0e", "created": "2023-09-28T20:30:50.842Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:32.138Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2289f005-7863-4af5-b681-cdfc03d3f111", "created": "2023-09-29T18:56:08.414Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:32.376Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET", "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:32.592Z", "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) can collect AutoCad files with drawings. These drawings may contain operational information. (Citation: ESET)\n", "relationship_type": "uses", "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22ba5443-ea49-4076-a666-722eb5352f70", "created": "2023-09-28T20:02:45.697Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:32.818Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--232c7049-7609-46a9-8bbe-38672713f853", "created": "2023-09-28T21:15:32.371Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:33.029Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49", "created": "2023-09-29T16:43:53.940Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:33.285Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--234da455-b795-4788-bc5d-22b4b58b2dc7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:33.516Z", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--23851bda-49de-4f35-979f-c4e6b5742389", "created": "2024-04-09T20:59:53.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:33.748Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Microsoft Security Response Center August 2017", "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/"}, {"source_name": "Wikipedia", "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", "url": "https://en.wikipedia.org/wiki/Control-flow_integrity"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:33.963Z", "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:34.178Z", "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n", "relationship_type": "mitigates", "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:34.413Z", "description": "Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07", "created": "2023-09-28T20:25:47.357Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:34.622Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--245c8c36-28e5-4508-a585-7768cb33299a", "created": "2023-03-10T20:06:10.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:34.847Z", "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the system over radio.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d", "created": "2024-04-09T21:00:24.049Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:35.080Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--24885921-734f-46c1-85d7-3f79e0b886d6", "created": "2023-09-27T14:51:18.262Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:35.317Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable. (Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5", "created": "2023-09-29T17:07:55.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:35.532Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe", "created": "2023-09-28T20:10:06.838Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:35.763Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--250212f0-a149-4a14-af83-94f7fcedc021", "created": "2023-09-28T20:26:29.934Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:35.960Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--25281488-be20-4d83-89d1-1da7ea836037", "created": "2023-09-29T17:40:47.898Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:36.185Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3", "created": "2023-03-30T18:57:21.754Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kevin Savage and Branko Spasojevic", "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20190930124504/https:/www.symantec.com/security-center/writeup/2012-052811-0308-99"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:36.409Z", "description": "[Flame](https://attack.mitre.org/software/S0143) has built-in modules to gather information from compromised computers. (Citation: Kevin Savage and Branko Spasojevic)", "relationship_type": "uses", "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--25e7ca82-2784-433a-90a9-a3483615a655", "created": "2019-04-12T17:01:01.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye WannaCry 2017", "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html"}, {"source_name": "SecureWorks WannaCry Analysis", "description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.", "url": "https://www.secureworks.com/research/wcry-ransomware-analysis"}, {"source_name": "FireEye APT38 Oct 2018", "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.", "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf"}, {"source_name": "LogRhythm WannaCry", "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved December 8, 2024.", "url": "https://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:03:05.097Z", "description": "(Citation: FireEye APT38 Oct 2018)(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)", "relationship_type": "uses", "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--26254163-4f25-4d30-8456-ca093459ff32", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:36.720Z", "description": "Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d", "created": "2022-09-26T16:16:21.749Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:36.915Z", "description": "Monitor applications logs for any access attempts to operational databases (e.g., historians) or other sources of operational data within the ICS environment. These devices should be monitored for adversary collection using techniques relevant to the underlying technologies (e.g., Windows, Linux).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7", "created": "2023-03-10T20:34:25.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:37.117Z", "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary disabled alarms at four pumping stations, preventing notifications to the central computer.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--26d68f5d-6ee5-4d98-b175-943366ccc038", "created": "2020-10-14T21:33:27.046Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos October 2018", "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:37.322Z", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. (Citation: Dragos October 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--26e58427-a2bd-4e77-9939-16ef60a072e7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:37.528Z", "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:37.745Z", "description": "Restrict root or administrator access on user accounts to limit the ability to capture promiscuous traffic on a network through common packet capture tools. (Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--274994e7-1fe9-463a-9979-46c72107bf9b", "created": "2023-03-30T18:56:47.685Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET", "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:37.951Z", "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from infected systems. (Citation: ESET)", "relationship_type": "uses", "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--276aa6a6-e700-470a-8f72-02537ba7be9d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:38.152Z", "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2867f491-919b-463f-b689-bb3ceb7ae99f", "created": "2022-09-28T20:31:07.486Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos-Pipedream", "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite\u2019s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en"}, {"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}, {"source_name": "Brubaker-Incontroller", "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:38.377Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to remotely connect to Schneider PLCs and perform maintenance functions on the device.(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use Telnet to upload payloads and execute commands on Omron PLCs.\t(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream) The malware can also use HTTP-based CGI scripts (e.g., cpu.fcgi, ecat.fcgi) to gain administrative access to the device.(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad", "created": "2023-09-29T18:05:32.443Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:38.580Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:38.801Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e", "created": "2023-09-28T21:26:47.115Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:39.000Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--296375b0-817d-4f42-afe1-4308f5edf973", "created": "2023-09-28T21:10:25.193Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:39.198Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2971151c-0e8a-4567-84dc-01cf5dd35005", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:39.441Z", "description": "Digital signatures may be used to ensure application DLLs are authentic prior to execution.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--29b85313-645b-4fb1-b5c2-f580d111760b", "created": "2022-09-26T19:38:04.844Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:39.670Z", "description": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \"0\" indicates LLMNR is disabled.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81", "created": "2023-09-29T18:46:39.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:39.889Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2a451896-81aa-4eed-a444-4d04661adeeb", "created": "2023-09-29T16:43:42.911Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:40.097Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe", "created": "2023-09-28T19:38:46.361Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:40.314Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:40.526Z", "description": "Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1", "created": "2023-09-29T18:46:54.684Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:40.766Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2c79920a-f2d1-4114-a1df-924835da645c", "created": "2023-09-28T19:53:00.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:40.983Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:41.322Z", "description": "Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:41.525Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919", "created": "2022-09-27T16:30:41.482Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:41.751Z", "description": "Monitor device management protocols for functions that modify programs such as online edit and program append events.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2", "created": "2023-09-29T16:33:12.887Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:41.964Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:42.183Z", "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:42.413Z", "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe", "created": "2023-09-29T17:39:15.857Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:42.621Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e0769d7-088e-45d5-a262-6dbc91a95073", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:42.843Z", "description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a", "created": "2023-09-28T19:40:51.425Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:43.048Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:43.273Z", "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:43.495Z", "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:43.725Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8", "created": "2023-09-28T20:02:05.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:43.954Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f", "created": "2023-09-27T14:47:29.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}, {"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:44.177Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems. Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f457bef-1721-4e0f-b236-24e4652a31b4", "created": "2023-09-29T16:29:53.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:44.422Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:44.642Z", "description": "Execution prevention may prevent malicious scripts from accessing protected resources.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "DHS National Urban Security Technology Laboratory April 2019", "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:44.915Z", "description": "Reduce the range of RF communications to their intended operating range when possible. Propagation reduction methods may include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd", "created": "2024-04-09T21:02:56.157Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:45.125Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50", "created": "2023-09-28T20:30:21.865Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:45.376Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e", "created": "2021-10-14T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:45.597Z", "description": "Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with. (Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:45.832Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9", "created": "2023-09-28T19:43:28.167Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:46.041Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2fe222c4-cc81-473d-956e-235e2961a5c3", "created": "2023-09-29T17:04:26.769Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:46.267Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2ff82993-5010-4450-89e7-341f449f3263", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:46.513Z", "description": "Consider periodic reviews of accounts and privileges for critical and sensitive repositories.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2fffbea8-c031-4de8-a451-447bbbe3e224", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:46.724Z", "description": "Consider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--305866af-1f36-49e0-a57d-d5faaf29011c", "created": "2023-09-28T20:34:52.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:46.946Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--309e4558-e591-4d03-9bb9-07d30acf011f", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "McAfee Labs October 2019", "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:47.152Z", "description": "[REvil](https://attack.mitre.org/software/S0496) searches for all processes listed in the prc field within its configuration file and then terminates each process. (Citation: McAfee Labs October 2019)", "relationship_type": "uses", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--31203165-79d0-42e5-81f1-62150dea2c43", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:47.392Z", "description": "Monitor network data for uncommon data flows (e.g., time of day, unusual source/destination address) that may be related to abuse of [Valid Accounts](https://attack.mitre.org/techniques/T0859) to log into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--31897c41-1d47-4a34-b531-21c3f74651a8", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:47.602Z", "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) utilizes the PLC communication and management API to load executable Program Organization Units. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "relationship_type": "uses", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Eduard Kovacs March 2018", "description": "Eduard Kovacs 2018, March 1 Five Threat Groups Target Industrial Systems: Dragos Retrieved. 2020/01/03 ", "url": "https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos"}, {"source_name": "Novetta Threat Research Group February 2016", "description": "Novetta Threat Research Group 2016, February 24 Operation Blockbuster: Unraveling the Long Thread of the Sony Attack Retrieved. 2016/02/25 ", "url": "https://web.archive.org/web/20220707091904/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:47.848Z", "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has been observed targeting organizations using spearphishing documents with embedded malicious payloads. (Citation: Novetta Threat Research Group February 2016) Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. (Citation: Eduard Kovacs March 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a", "created": "2023-10-02T20:18:11.933Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:48.055Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce", "created": "2023-09-28T21:16:44.471Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:48.301Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--321fc522-bc6b-4975-bee4-9098624d1e8c", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:48.528Z", "description": "Monitor for network traffic originating from unknown/unexpected devices or addresses. Local network traffic metadata could be used to identify unexpected connections, including unknown/unexpected source MAC addresses connecting to ports associated with operational protocols. Also, network management protocols such as DHCP and ARP may be helpful in identifying unexpected devices. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5", "created": "2023-09-28T20:26:15.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:48.778Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--327916f7-fe5d-4858-adeb-f72f74c60c25", "created": "2021-10-08T15:25:32.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:48.987Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) sends an SQL statement that creates a table and inserts a binary value into the table. The binary value is a hex string representation of the main Stuxnet DLL as an executable file (formed using resource 210) and an updated configuration data block. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b", "created": "2023-09-28T21:21:07.833Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:49.213Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b", "created": "2023-09-28T20:10:23.215Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:49.426Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--32d15d1a-04ba-4035-907a-e2871425e8d1", "created": "2023-09-28T20:28:40.722Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:49.640Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:49.868Z", "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3334e647-fd5d-481d-a7f9-66f73911a57a", "created": "2023-09-28T19:45:30.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:50.097Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:50.313Z", "description": "Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices\n", "relationship_type": "mitigates", "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--337f366d-3d76-470c-8ee2-0e2252648282", "created": "2024-03-25T20:19:43.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:50.518Z", "description": "Disallow the execution of applications/programs which are not required for normal system functions, including any specific command-line arguments which may allow the execution of proxy commands or application binaries.", "relationship_type": "mitigates", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7", "created": "2023-09-29T16:47:08.696Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:50.768Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5", "created": "2023-09-29T18:07:41.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:51.006Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3439d550-61d5-40b4-a514-341509d3f701", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:51.215Z", "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3471632d-253d-469e-9e8c-3b291b4ae88a", "created": "2023-09-28T21:14:15.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:51.437Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3478c49c-594b-4224-b7f9-2b0b09c67288", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bastille April 2017", "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:51.636Z", "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications. (Citation: Bastille April 2017)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:51.855Z", "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:52.073Z", "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye TRITON", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}, {"source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:52.315Z", "description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon. (Citation: DHS CISA February 2019)\n\n[Triton](https://attack.mitre.org/software/S1009) was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.(Citation: FireEye TRITON)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--351e19c4-c16e-493a-9800-a433107aacf1", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:52.519Z", "description": "[Triton](https://attack.mitre.org/software/S1009) uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. (Citation: DHS CISA February 2019)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3526acc8-8834-4aaa-87a5-51e587360cf5", "created": "2023-09-29T18:45:47.394Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:52.764Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--352ed52c-88ba-4731-a917-4c33da0f29d4", "created": "2023-09-27T14:44:00.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Andy Greenberg June 2017", "description": "Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023.", "url": "https://www.wired.com/story/russian-hackers-attack-ukraine/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:52.991Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used an IT helpdesk software to move the mouse on ICS control devices to maliciously release electricity breakers. (Citation: Andy Greenberg June 2017)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:53.210Z", "description": "Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3618a010-b94b-4974-b1be-7630d5c853c1", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Robert Falcone, Bryan Lee May 2016", "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:53.429Z", "description": "[OilRig](https://attack.mitre.org/groups/G0049) used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. (Citation: Robert Falcone, Bryan Lee May 2016)", "relationship_type": "uses", "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4", "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:53.631Z", "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information Mitigation](https://attack.mitre.org/mitigations/T1140) in payloads. For added context on adversary procedures and background see [User Execution Mitigation](https://attack.mitre.org/mitigations/T1204) and applicable sub-techniques.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--366a4cd1-aa95-4985-9d80-b45a2551e298", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:53.861Z", "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d", "created": "2023-09-28T20:29:27.153Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:54.072Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--37048032-b41d-47d8-9c73-7b706bef24d1", "created": "2023-09-28T20:27:58.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:54.320Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be", "created": "2023-09-28T21:13:36.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:54.521Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3731962f-64e7-4750-ac8b-40b97eef8725", "created": "2023-09-29T16:41:15.943Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:54.729Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--374837a0-6109-4c95-bee6-893b25ac71cf", "created": "2023-09-28T21:13:12.715Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:54.931Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:55.124Z", "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--37abb3d5-24fc-4397-844e-07548d324729", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:55.366Z", "description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2", "created": "2023-09-29T16:31:46.749Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:55.587Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--383e242a-72d4-4b40-8905-888595c34919", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kelly Jackson Higgins", "description": "Kelly Jackson Higgins How a Manufacturing Firm Recovered from a Devastating Ransomware Attack Retrieved. 2019/11/03 ", "url": "https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:55.836Z", "description": "An enterprise resource planning (ERP) manufacturing server was lost to the [Ryuk](https://attack.mitre.org/software/S0446) attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open. (Citation: Kelly Jackson Higgins)", "relationship_type": "uses", "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3843dcca-62a2-4224-9241-05f981fa880a", "created": "2023-09-28T19:46:23.921Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:56.034Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:56.265Z", "description": "Monitor for newly constructed files copied to or from removable media.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--38bda770-c470-4358-a9ad-a5b39bec026b", "created": "2023-09-29T16:28:28.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:56.485Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--39452123-574f-4f3a-95ec-a90170a3d7eb", "created": "2023-10-02T20:20:44.850Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:56.704Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--399126a9-815d-4c3b-9d5e-f57d698ac742", "created": "2023-09-28T19:40:36.023Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:56.917Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--39963a04-9675-4fa4-87ea-1b34145cc569", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Elastic - Koadiac Detection with EQL", "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.", "url": "https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:57.122Z", "description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--39e5a489-f557-4130-a285-e0a82f40685c", "created": "2023-09-28T19:46:38.112Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:57.345Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584", "created": "2023-09-28T19:40:21.763Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:57.561Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3a04717f-b74c-4096-b031-ee7115fdc3c9", "created": "2024-03-28T14:29:30.576Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye TRITON Dec 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \u201cTRITON\u201d and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:57.833Z", "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088)\u2019 tool took one option from the command line, which was a single IP address of the target Triconex device.(Citation: FireEye TRITON Dec 2017)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974", "created": "2023-09-29T18:56:47.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:58.066Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:58.273Z", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca", "created": "2023-09-28T19:44:37.687Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:58.486Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3a7d1db3-9383-4171-8938-382e9b0375c6", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:58.707Z", "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) uses HTTP POST request to contact external command and control servers. (Citation: Booz Allen Hamilton)\n", "relationship_type": "uses", "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea", "created": "2023-09-28T21:15:18.036Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:58.913Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:59.151Z", "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CISA March 2010", "description": "CISA 2010, March 11 https://us-cert.cisa.gov/ncas/tips/ST05-003 Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/ncas/tips/ST05-003"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:59.380Z", "description": "Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. (Citation: CISA March 2010) Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35", "created": "2023-09-28T19:43:15.817Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:59.605Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3b6567a9-6213-4db4-a069-1a86b1098b63", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Microsoft Security Response Center August 2017", "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/"}, {"source_name": "Wikipedia", "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", "url": "https://en.wikipedia.org/wiki/Control-flow_integrity"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:01:59.868Z", "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688", "created": "2023-09-28T19:53:33.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:00.098Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2", "created": "2023-10-02T20:22:15.907Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:00.330Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:00.566Z", "description": "The name of the [Industroyer](https://attack.mitre.org/software/S0604) payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors execute a shell command commands. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:00.821Z", "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:01.072Z", "description": "Monitor for known proxy protocols (e.g., SOCKS, Tor, peer-to-peer protocols) and tool usage (e.g., Squid, peer-to-peer software) on the network that are not part of normal operations. Also monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3c341d13-938e-4535-ac75-10a79abc7017", "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:01.281Z", "description": "Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:01.494Z", "description": "Monitor operational process data for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a", "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:01.720Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) calls system function blocks which are part of the operating system running on the PLC. Theyre used to execute system tasks, such as reading the system clock (SFC1) and generating data blocks on the fly. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:01.924Z", "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a", "created": "2023-09-28T21:26:11.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:02.154Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:02.385Z", "description": "Monitor logon activity for unexpected or unusual access to devices from the Internet.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3d676c1b-2650-4599-8a57-790c55f9977d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:02.598Z", "description": "Minimize the exposure of API calls that allow the execution of code.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3da977ab-c863-4e6f-a5b7-68173160da00", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:02.818Z", "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3db8d8d2-89bb-4241-afeb-9b9332aac78e", "created": "2024-03-28T14:31:06.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye TEMP.Veles 2018", "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:03.041Z", "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) used a publicly available PowerShell-based tool, WMImplant.(Citation: FireEye TEMP.Veles 2018)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d", "created": "2022-09-30T15:28:37.614Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:03.266Z", "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5", "created": "2023-09-29T17:05:08.346Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:03.473Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1", "created": "2023-09-29T16:44:16.391Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:03.720Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:03.943Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41", "created": "2022-09-26T19:30:14.122Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:04.166Z", "description": "Monitor DLL file events, specifically creation of these files as well as the loading of DLLs into processes specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3ed98d8c-de30-499e-9a62-eae0207519f4", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:04.386Z", "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9", "created": "2023-09-29T17:39:42.457Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:04.618Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f261739-b6ec-4a86-94a3-146929f9facf", "created": "2024-11-20T23:28:20.295Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos FROSTYGOOP 2024", "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:04.869Z", "description": "In [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041), the adversary caused the victim controllers to report incorrect measurements by modifying parameters.(Citation: Dragos FROSTYGOOP 2024)", "relationship_type": "uses", "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:05.085Z", "description": "Ensure wireless networks require the authentication of all devices, and that all wireless devices also authenticate network infrastructure devices (i.e., mutual authentication). For defense-in-depth purposes, utilize VPNs or ensure that application-layer protocols also authenticate the system or device. Use protocols that provide strong authentication (e.g., IEEE 802.1X), and enforce basic protections, such as MAC filtering, when stronger cryptographic techniques are not available.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:05.320Z", "description": "Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015", "description": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01 ", "url": "https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:05.537Z", "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. (Citation: Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015)", "relationship_type": "uses", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe", "created": "2023-09-28T21:17:18.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:05.764Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3fb86696-1d56-42d5-a73d-044a78b588fe", "created": "2023-09-27T14:54:12.586Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:05.999Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult. (Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa", "created": "2023-09-28T20:27:43.727Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:06.232Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542", "created": "2023-09-29T18:57:32.665Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:06.451Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c", "created": "2022-09-28T21:16:28.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:06.668Z", "description": "The [INCONTROLLER](https://attack.mitre.org/software/S1045) PLCProxy module can add an IP route to the CODESYS gateway running on Schneider PLCs to allow it to route messages through the PLC to other devices on that network. This allows the malware to bypass firewall rules that prevent it from directly communicating with devices on the same network as the PLC.(Citation: Wylie-22)", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4", "created": "2023-09-29T18:05:42.611Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:06.892Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--40f63b01-dc59-475d-826a-74f38c6e81b9", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:07.118Z", "description": "Host-based implementations of this technique may utilize networking-based system calls or network utility commands (e.g., iptables) to locally intercept traffic. Monitor for relevant process creation events.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db", "created": "2023-09-29T17:04:46.290Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:07.332Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--41a109dd-11d9-4840-a38b-088fc790f45a", "created": "2024-03-25T20:17:27.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:07.563Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:07.779Z", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:07.977Z", "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d", "created": "2023-09-28T19:58:43.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:08.191Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34", "created": "2021-04-12T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:08.414Z", "description": "All communication sessions to remote services should be authenticated to prevent unauthorized access.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--423271c0-04dc-42d0-8e27-fb0b6067e096", "created": "2023-09-27T14:59:43.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}, {"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:08.611Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), power breakers were opened which caused the operating companies to be unable to deliver power, and left thousands of businesses and households without power for around 6 hours. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--42508a8e-44d5-4af1-9e66-bace5fc94734", "created": "2022-09-27T18:49:25.089Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "University of Birmingham C2", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:08.836Z", "description": "Monitor for mismatches between protocols and their expected ports (e.g., non-HTTP traffic on tcp:80). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:09.044Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:09.269Z", "description": "Ensure permissions restrict project file access to only engineer and technician user groups and accounts.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b", "created": "2023-09-28T19:58:54.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:09.477Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--43344cd7-5004-4dac-8b62-8899105fa265", "created": "2023-09-29T18:47:20.334Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:09.681Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--433539bf-cb17-4de1-9c0f-e579b041514f", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos Inc. June 2017", "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:09.883Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604) attempts to connect with a hardcoded internal proxy on TCP 3128 [default Squid proxy]. If established, the backdoor attempts to reach an external C2 server via the internal proxy. (Citation: Dragos Inc. June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4369da69-bb09-4cc8-8600-081a450f50e0", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:10.095Z", "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:10.331Z", "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--43b11545-3b70-4284-a369-bed7a0de4fd0", "created": "2024-03-27T19:52:07.502Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Mandiant-Sandworm-Ukraine-2022", "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.", "url": "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:10.528Z", "description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilizes a Visual Basic script `lun.vbs` to execute `n.bat` which then executed the MicroSCADA `scilc.exe` command.(Citation: Mandiant-Sandworm-Ukraine-2022)", "relationship_type": "uses", "source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--43bdf580-b98f-49cf-92d5-3dac50450c86", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:10.748Z", "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de", "created": "2021-04-13T12:36:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:10.968Z", "description": "Minimize the exposure of API calls that allow the execution of code.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b", "created": "2022-09-27T19:06:12.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:11.200Z", "description": "A manipulated I/O image requires analyzing the application program running on the PLC for specific data block writes. Detecting this requires obtaining and analyzing a PLC\u2019s application program, either directly from the device or from asset management platforms.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--44c857cf-7a4e-405a-87ca-7f6d79000589", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:11.416Z", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4508bdef-9528-47ae-804c-bc59d1e694e7", "created": "2023-09-28T20:02:35.354Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:11.638Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--456ff399-4925-45d4-aa84-d930eae5348e", "created": "2023-09-28T20:26:47.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:11.878Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f", "created": "2023-10-02T20:22:02.539Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:12.094Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9", "created": "2023-09-28T20:15:32.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:12.313Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--45ee1822-71e4-4d92-976d-306561b70555", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:12.529Z", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:12.763Z", "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4631bf49-da0b-4415-a226-112c99ff0f64", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:12.973Z", "description": "Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--46332a77-2fd6-4033-96cf-6163172775ec", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:13.208Z", "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4653847b-c089-4435-9159-6f76353833f7", "created": "2023-09-25T20:43:22.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:13.419Z", "description": "All field controllers should restrict the modification of controller tasks to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf", "created": "2023-09-29T16:42:20.944Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:13.639Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--46798892-d849-43fe-8147-b40cc9da291e", "created": "2023-09-28T19:42:29.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:13.854Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Hydro", "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/"}, {"source_name": "Kevin Beaumont", "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:14.064Z", "description": "While Norsk Hydro attempted to recover from a [LockerGoga](https://attack.mitre.org/software/S0372) infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity. (Citation: Kevin Beaumont)(Citation: Hydro)", "relationship_type": "uses", "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9", "created": "2024-03-25T20:17:59.424Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:14.277Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4768c731-3be9-44b8-a217-dfbececa57d9", "created": "2023-09-29T18:06:22.868Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:14.477Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4", "created": "2022-09-26T20:46:23.812Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:14.680Z", "description": "Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--47f15a06-8675-4698-833d-bd141ed9e755", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Microsoft Security Response Center August 2017", "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/"}, {"source_name": "Wikipedia", "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", "url": "https://en.wikipedia.org/wiki/Control-flow_integrity"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:14.899Z", "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--483719ad-c973-4210-b059-14e87dbd45f8", "created": "2023-09-28T19:49:43.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:15.147Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--48489baf-56c2-423e-964a-0a61688e4a19", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:15.374Z", "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957", "created": "2024-04-09T20:50:34.946Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:15.592Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:15.804Z", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--49242ea8-4813-49f7-8bd4-9668216cceeb", "created": "2023-09-29T16:45:53.300Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:16.023Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4966e63c-ca05-466d-91f9-41d799a54471", "created": "2021-04-12T18:59:17.429Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:16.269Z", "description": "Provide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4981a944-b3ad-4d78-9881-a17d458e3422", "created": "2023-09-28T20:01:30.138Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:16.504Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8", "created": "2023-03-31T17:44:19.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos Crashoverride 2018", "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:16.718Z", "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: `cscript C:\\Backinfo\\ufn.vbs C:\\Backinfo\\101.dll C:\\Delta\\101.dll`(Citation: Dragos Crashoverride 2018)", "relationship_type": "uses", "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:16.924Z", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:17.141Z", "description": "Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05", "created": "2023-09-28T19:41:47.648Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:17.384Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4a7340fc-0eec-4459-a491-952d736b79ef", "created": "2023-09-28T19:50:42.505Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:17.593Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198", "created": "2023-09-28T21:09:50.956Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:17.814Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4b57e41c-246f-44b3-b259-1811d5275e10", "created": "2022-09-26T15:16:32.057Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:18.020Z", "description": "Consult asset management systems to understand expected alarm settings.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596", "created": "2023-09-28T21:24:51.818Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:18.221Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4b853b7c-bc55-4599-b88d-d08d651526c0", "created": "2023-09-29T18:49:25.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:18.442Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e", "created": "2023-03-31T17:45:09.659Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos Crashoverride 2018", "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:18.645Z", "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used MS-SQL access to a pivot machine, allowing code execution throughout the ICS network.(Citation: Dragos Crashoverride 2018)", "relationship_type": "uses", "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12", "created": "2023-09-28T19:59:23.856Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:18.868Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962", "created": "2023-09-28T21:23:14.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:19.069Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Atlassian Confluence Logging", "description": "Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.", "url": "https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html"}, {"source_name": "Microsoft SharePoint Logging", "description": "Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.", "url": "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2"}, {"source_name": "Sharepoint Sharing Events", "description": "Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.", "url": "https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:19.281Z", "description": "Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.(Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource.(Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.(Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c", "created": "2023-09-27T13:17:12.592Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Andy Greenberg June 2017", "description": "Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023.", "url": "https://www.wired.com/story/russian-hackers-attack-ukraine/"}, {"source_name": "US District Court Indictment GRU Unit 74455 October 2020", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", "url": "https://www.justice.gov/opa/press-release/file/1328521/download"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:13:35.299Z", "description": "(Citation: Andy Greenberg June 2017) (Citation: US District Court Indictment GRU Unit 74455 October 2020)", "relationship_type": "attributed-to", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7", "created": "2023-09-28T20:27:04.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:19.583Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4", "created": "2023-09-28T21:28:11.821Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:19.805Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e", "created": "2022-09-28T21:21:58.641Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:20.025Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the HTTP CGI scripts on Omron PLCs to modify parameters on EtherCat connected servo drives.(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5", "created": "2023-09-29T18:02:38.399Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:20.229Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93", "created": "2023-09-29T17:57:55.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:20.428Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9", "created": "2023-09-28T20:09:53.108Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:20.630Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4f83cc15-274d-44c6-859f-e598e362e76e", "created": "2023-09-27T14:55:55.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:20.861Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) opened live breakers via remote commands to the HMI, causing blackouts. (Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--502a0b7e-048a-468a-b888-e91fde47c6eb", "created": "2021-04-12T18:59:17.429Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "North America Transmission Forum December 2019", "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:21.081Z", "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29", "created": "2023-09-29T18:03:06.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:21.314Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5041e17d-6349-4589-8c61-7b43964b5f9b", "created": "2021-10-14T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Emerson Exchange", "description": "Emerson Exchange Increase Security with TPM, Secure Boot, and Trusted Boot Retrieved. 2020/09/25 ", "url": "https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot"}, {"source_name": "National Security Agency February 2016", "description": "National Security Agency 2016, February Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems Retrieved. 2020/09/25 ", "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:21.521Z", "description": "Integrity checking of transient assets can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. (Citation: Emerson Exchange) It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. (Citation: National Security Agency February 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--50a2b289-7bce-405d-8515-c2b5424cce5c", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:21.732Z", "description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--50b3247a-ea71-455e-b299-f00666c05146", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:21.937Z", "description": "In states 3 and 4 [Stuxnet](https://attack.mitre.org/software/S0603) sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--50c20664-75dc-451e-b026-67b1d309e4b5", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:22.152Z", "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. (Citation: Anton Cherepanov, ESET June 2017) Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5131c799-517c-4bad-ba97-46ad7de956e7", "created": "2023-09-28T21:17:06.233Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:22.378Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--51eb15a3-48af-470f-94c0-10f25b366d72", "created": "2022-09-28T20:30:22.148Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos-Pipedream", "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite\u2019s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en"}, {"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:22.591Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can establish a remote HTTP connection to change the operating mode of Omron PLCs.(Citation: Dragos-Pipedream)(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:22.827Z", "description": "Restrict unauthorized devices from accessing serial comm ports.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59", "created": "2022-09-26T17:08:21.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:23.025Z", "description": "Monitor device communication patterns to identify irregular bulk transfers of data between the embedded ICS asset and other nodes within the network. Note these indicators are dependent on the profile of normal operations and the capabilities of the industrial automation protocols involved (e.g., partial program uploads).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4", "created": "2019-06-24T17:20:24.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Catalin Cimpanu April 2016", "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:23.270Z", "description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. (Citation: Catalin Cimpanu April 2016)", "relationship_type": "uses", "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c", "created": "2023-09-29T16:40:18.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:23.504Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--520aad6a-2483-45bc-a172-2417137f6ca0", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:23.726Z", "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5", "created": "2021-04-10T14:13:17.429Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:23.945Z", "description": "Enforce strong password requirements to prevent password brute force methods for lateral movement.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--523777f8-4780-4716-807c-08a67450b916", "created": "2023-09-29T18:45:13.052Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:24.163Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--524ffb0f-40ae-4c97-a098-d14001fffa31", "created": "2023-09-29T16:44:54.473Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:24.372Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0", "created": "2024-04-09T20:58:49.397Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:24.595Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--52855d5d-e835-470f-a675-751c2779c861", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:24.820Z", "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b", "created": "2023-09-28T21:23:26.598Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:25.027Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:25.225Z", "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--52e828db-58d0-443e-8d94-54d265d9606e", "created": "2023-09-29T17:42:01.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:25.441Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"}, {"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}, {"source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:25.655Z", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--533bd747-2567-4c53-a10b-938734f8aeab", "created": "2024-03-25T17:59:02.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye TRITON Dec 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \u201cTRITON\u201d and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}, {"source_name": "FireEye TEMP.Veles 2018", "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html"}, {"source_name": "FireEye TRITON 2018", "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:25.872Z", "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) leveraged [Triton](https://attack.mitre.org/software/S1009) to interact and disrupt Triconex safety instrumented systems throughout this campaign.(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TRITON 2018)(Citation: FireEye TRITON Dec 2017)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "target_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:26.098Z", "description": "The execution on the PLC can be stopped by violating the cycle time limit. The [PLC-Blaster](https://attack.mitre.org/software/S1006) implements an endless loop triggering an error condition within the PLC with the impact of a DoS. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "relationship_type": "uses", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--538e5653-137a-4ce2-8b08-5ba69caa794a", "created": "2024-03-25T17:58:07.886Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye TRITON Dec 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \u201cTRITON\u201d and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}, {"source_name": "FireEye TEMP.Veles 2018", "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:15:21.909Z", "description": "(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TRITON Dec 2017)", "relationship_type": "attributed-to", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "target_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--53a54e4a-2b38-4b0c-8f60-252a68767443", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:26.417Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a", "created": "2023-03-30T14:08:23.251Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA June 2013", "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:26.627Z", "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.(Citation: CISA June 2013)", "relationship_type": "mitigates", "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--53d7a78d-1431-49e8-944c-62c875e58a20", "created": "2023-09-29T17:08:37.793Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:26.835Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5424e327-396f-4b07-94a3-408ffc915686", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos", "description": "Dragos Allanite Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/allanite/"}, {"source_name": "ICS-CERT October 2017", "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:27.030Z", "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) has been identified to collect and distribute screenshots of ICS systems such as HMIs. (Citation: Dragos) (Citation: ICS-CERT October 2017)", "relationship_type": "uses", "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd", "created": "2023-09-29T17:44:32.341Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:27.265Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--544e996c-0bdc-42b2-91af-14c27d4213b9", "created": "2023-09-28T21:09:23.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:27.495Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56", "created": "2023-09-28T20:10:44.014Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:27.715Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b", "created": "2023-03-30T19:24:38.022Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Industroyer2 Mandiant April 2022", "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:27.911Z", "description": "[Industroyer2](https://attack.mitre.org/software/S1072) has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.(Citation: Industroyer2 Mandiant April 2022)", "relationship_type": "uses", "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:28.114Z", "description": "Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:28.342Z", "description": "Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--55d1eaf7-c3cb-4ff9-8439-96f562d46259", "created": "2024-03-25T20:19:19.219Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:28.550Z", "description": "Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", "target_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--55f3dd59-08be-4e23-a680-b6db7850b399", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:28.770Z", "description": "Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"}, {"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}, {"source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:28.970Z", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5677e801-bd49-404b-b54a-6b00da52530c", "created": "2023-09-29T16:39:01.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:29.175Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--567acebd-4ba2-4723-a74d-514992321ccc", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:29.386Z", "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18", "created": "2023-09-29T18:05:18.147Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:29.624Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:29.859Z", "description": "[Triton](https://attack.mitre.org/software/S1009) would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. (Citation: Jos Wetzels January 2018)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0", "created": "2022-09-29T14:28:08.703Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:30.068Z", "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f", "created": "2023-09-27T14:48:05.715Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:30.269Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:30.475Z", "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:30.704Z", "description": "Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--577b53a0-44ff-4cc4-b571-455d61e596c0", "created": "2023-09-28T20:27:17.431Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:30.910Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:31.117Z", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141", "created": "2023-03-31T18:12:35.414Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET Industroyer", "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}, {"source_name": "Dragos Crashoverride 2018", "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:16:38.121Z", "description": "Within the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Industroyer](https://attack.mitre.org/software/S0604) was used to target and disrupt the Ukrainian power grid substation components.(Citation: Dragos Crashoverride 2018)(Citation: ESET Industroyer)", "relationship_type": "uses", "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", "target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5804ae3d-0daf-47a5-b026-d42878f55803", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:31.423Z", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:31.623Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2", "created": "2022-09-26T15:37:30.958Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:31.837Z", "description": "Monitor for loss of network traffic which could indicate alarms are being suppressed. A loss of expected communications associated with network protocols used to communicate alarm events or process data could indicate this technique is being used. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:32.049Z", "description": "Use multi-factor authentication wherever possible.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba", "created": "2023-09-28T19:38:03.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:32.268Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:32.483Z", "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1", "created": "2023-09-28T20:27:33.713Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:32.703Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:32.921Z", "description": "Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to login and may perform follow-on actions that spawn additional processes as the user.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:33.152Z", "description": "Consider removal or disabling of programs and features which may be used to run malicious scripts (e.g., scripting language IDEs, PowerShell, visual studio).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5914a482-dbb7-429d-96f3-77f0588ac12d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:33.384Z", "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--591620d3-5549-49db-9080-43f86a68a590", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:33.598Z", "description": "[Triton](https://attack.mitre.org/software/S1009) leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges. (Citation: DHS CISA February 2019)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b", "created": "2023-09-28T21:28:21.910Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:33.839Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8", "created": "2023-09-29T17:09:25.690Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:34.042Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--59c65014-1fee-4c2e-9ece-9883159bbed2", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:34.273Z", "description": "Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see [Service Stop Mitigation](https://attack.mitre.org/mitigations/T1489).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc", "created": "2023-03-10T20:30:43.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:34.481Z", "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:34.706Z", "description": "Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba", "created": "2023-09-28T20:07:36.295Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:35.030Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:35.227Z", "description": "All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5b14c813-09e2-4709-ab42-94830cf9538c", "created": "2023-09-29T18:42:39.876Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:35.448Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5b701c8d-374a-4a6b-a695-b5c7a747ceb2", "created": "2024-11-20T23:09:31.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos FROSTYGOOP 2024", "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:35.656Z", "description": "[FrostyGoop](https://attack.mitre.org/software/S1165) can read data from holding registers via Modbus communication.(Citation: Dragos FROSTYGOOP 2024)", "relationship_type": "uses", "source_ref": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html"}, {"source_name": "Kyle Wilhoit", "description": "Kyle Wilhoit Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ICS Malware: Havex and Black Energy Retrieved. 2019/10/22 ", "url": "https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:35.883Z", "description": "Execution of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) relies on a user opening a trojanized installer attached to an email. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) (Citation: Kyle Wilhoit)", "relationship_type": "uses", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:36.101Z", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5beda54d-cd1f-491b-a85e-d7618a0683ad", "created": "2024-03-28T14:28:10.742Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye TRITON Dec 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \u201cTRITON\u201d and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:36.327Z", "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) tripped a controller into a failed safe state, which caused an automatic shutdown of the plant, this resulted in a pause of plant operations for more than a week. Thereby impacting industrial processes and halting productivity.(Citation: FireEye TRITON Dec 2017)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:36.538Z", "description": "Provide the ability to verify the integrity and authenticity of changes to parameter values.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:36.747Z", "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "relationship_type": "uses", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5c61c8a2-bfff-43fb-8397-bff864413d74", "created": "2023-09-29T17:06:09.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:36.954Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5c695f49-6c76-4818-88b6-4db2bf029e43", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:37.164Z", "description": "Monitor for file creation in conjunction with other techniques (e.g., file transfers using [Remote Services](https://attack.mitre.org/techniques/T0886)).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5c8c8976-2cac-4185-9719-ef55c1032d6a", "created": "2024-11-20T23:06:24.432Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos FROSTYGOOP 2024", "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:37.377Z", "description": "[FrostyGoop](https://attack.mitre.org/software/S1165) utilizes the Modbus protocol for transmitting commands to victim devices.(Citation: Dragos FROSTYGOOP 2024)", "relationship_type": "uses", "source_ref": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:37.627Z", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:37.868Z", "description": "System and process restarts should be performed when a timeout condition occurs.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5d33de22-35b0-47fa-bc63-f984522340b7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:38.092Z", "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:38.316Z", "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:38.521Z", "description": "Audit the integrity of PLC system and application code functionality, such as the manipulation of standard function blocks (e.g., Organizational Blocks) that manage the execution of application logic programs. (Citation: IEC February 2019)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:38.750Z", "description": "Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Tom Fakterman August 2019", "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:38.960Z", "description": "[REvil](https://attack.mitre.org/software/S0496) searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. (Citation: Tom Fakterman August 2019)", "relationship_type": "uses", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5e324da5-0fee-4dac-b289-410d560e03e9", "created": "2023-09-28T19:46:49.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:39.172Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb", "created": "2023-09-28T20:16:28.582Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:39.400Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5f03ee5d-534c-454c-aae3-b41130b00286", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Dan Goodin March 2017", "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:39.624Z", "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0", "created": "2023-09-25T20:49:49.605Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:39.867Z", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and\u00a0User Account Management.", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5ff26c96-c610-4669-b44e-d6318205be5a", "created": "2023-09-29T16:43:28.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:40.092Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--600f0115-94e3-49bf-afa6-0180b3367b94", "created": "2023-09-28T20:06:15.180Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:40.318Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--604a9bf0-81a3-425b-9005-779c4f0f749d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:40.518Z", "description": "Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024", "created": "2023-09-29T18:07:18.253Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:40.768Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--605f3853-b007-4134-8a2d-6a81a35e7676", "created": "2023-09-29T18:48:05.559Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:40.983Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6067c069-8e93-4bf0-bb49-97538d55c3de", "created": "2024-04-09T20:58:32.884Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:41.206Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6157408d-1eb3-4445-8d8a-14619458954f", "created": "2022-09-27T15:26:40.297Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:41.418Z", "description": "Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) may be helpful in identifying transient assets.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"}, {"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}, {"source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:41.643Z", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--61869a8e-d6da-478a-b770-47f97beae8b4", "created": "2024-08-15T21:59:43.124Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "NCSC CISA Cyclops Blink Advisory February 2022", "description": "NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.", "url": "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:19:06.690Z", "description": "[VPNFilter](https://attack.mitre.org/software/S1010) is associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) operations based on reporting on [VPNFilter](https://attack.mitre.org/software/S1010) replacement software, [Cyclops Blink](https://attack.mitre.org/software/S0687).(Citation: NCSC CISA Cyclops Blink Advisory February 2022)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6258c355-677c-452d-b1fc-27767232437b", "created": "2019-03-26T16:19:52.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:42.032Z", "description": "[NotPetya](https://attack.mitre.org/software/S0368) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", "relationship_type": "uses", "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--62abe387-10a2-414b-881c-060b70db2157", "created": "2023-09-28T20:08:39.992Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:42.273Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--62e818b8-38e6-42ff-9424-9a327332eb2a", "created": "2022-09-29T20:02:37.671Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET Industroyer", "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:42.480Z", "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 component sends the domain-specific MMSgetNameList request to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604)'s OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604) IEC 60870-5-104 module includes a range mode to discover Information Object Addresses (IOAs) by enumerating through each.(Citation: ESET Industroyer)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--630eb861-eb37-4258-9dbd-87789df2257a", "created": "2024-03-26T15:41:26.772Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:42.705Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:19:32.664Z", "relationship_type": "revoked-by", "source_ref": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", "target_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--63323b12-86db-4b91-a701-90daf3f98f7c", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:43.023Z", "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--63453d2f-30f6-40ab-b32c-506d940ecd20", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:43.267Z", "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918)", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:43.496Z", "description": "Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see [Masquerading Mitigation](https://attack.mitre.org/mitigations/T1036) and applicable sub-techniques.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b", "created": "2023-09-29T17:44:55.599Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:43.745Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}, {"source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:43.943Z", "description": "[Triton](https://attack.mitre.org/software/S1009)'s argument-setting and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. (Citation: DHS CISA February 2019) (Citation: Jos Wetzels January 2018)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3", "created": "2023-09-29T16:43:05.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:44.216Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--642cae89-bb5c-46f3-9fea-8d747b930c35", "created": "2023-03-10T20:11:10.018Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:44.432Z", "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's affected rivers.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--648c6649-5861-4b43-a7e5-a9665bafb576", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:44.640Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604) uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--64db6a39-64d2-4999-97d7-91c28c32f42e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:44.867Z", "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:45.085Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--652c1e77-cfea-4452-9762-5ba16f874119", "created": "2023-09-29T17:58:42.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:45.324Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:45.540Z", "description": "Monitor device alarms that indicate the devices has been placed into Firmware Update Mode, although not all devices produce such alarms.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6573327e-3757-424e-8570-04ffe7d5d0e2", "created": "2023-09-27T14:53:25.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:45.770Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used port 443 to communicate with their C2 servers. (Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--65a45501-10de-46a2-89bf-03bbf17aba33", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:46.003Z", "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--65aa5a0d-926c-4b04-9509-f66a99639877", "created": "2023-09-29T17:41:34.892Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:46.215Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--65adbdda-7069-40ed-9825-b79ec87e4916", "created": "2021-09-21T15:47:37.522Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CrowdStrike Carbon Spider August 2021", "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.", "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/"}, {"source_name": "Microsoft Ransomware as a Service", "description": "Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.", "url": "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"}, {"source_name": "IBM Ransomware Trends September 2020", "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.", "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/"}, {"source_name": "FBI Flash FIN7 USB", "description": "The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.", "url": "https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:20:08.790Z", "description": "(Citation: IBM Ransomware Trends September 2020)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: FBI Flash FIN7 USB)(Citation: Microsoft Ransomware as a Service)", "relationship_type": "uses", "source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5", "created": "2023-09-28T21:25:34.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:46.527Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2", "created": "2023-10-02T20:18:54.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:46.764Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6603a100-d655-4e6b-8d38-73c11b89dde4", "created": "2019-03-26T16:19:52.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:46.983Z", "description": "[NotPetya](https://attack.mitre.org/software/S0368) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", "relationship_type": "uses", "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6637d8e6-6578-4d15-a993-d63ced4c4464", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:47.198Z", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--665587ee-1524-4334-9580-2b448c417542", "created": "2023-03-30T19:26:07.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Industroyer2 Mandiant April 2022", "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks"}, {"source_name": "Industroyer2 Forescout July 2022", "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:47.442Z", "description": "[Industroyer2](https://attack.mitre.org/software/S1072) modifies specified Information Object Addresses (IOAs) for specified Application Service Data Unit (ASDU) addresses to either the ON or OFF state.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", "relationship_type": "uses", "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--66738beb-0a33-4d70-baec-8307b5b34f80", "created": "2023-09-28T20:16:05.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:47.650Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6681bc38-0b55-4714-b690-c609956b40bf", "created": "2022-09-28T20:27:33.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA-AA22-103A", "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"}, {"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:47.871Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can brute force password-based authentication to Schneider PLCs over the CODESYS protocol (UDP port 1740).(Citation: CISA-AA22-103A)\n\n [INCONTROLLER](https://attack.mitre.org/software/S1045) can perform brute force guessing of passwords to OPC UA servers using a predefined list of passwords.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d", "created": "2023-03-10T20:32:02.472Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:48.099Z", "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed for changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--66af47d7-c430-4ac9-8020-fd79b7059037", "created": "2022-09-28T20:28:03.422Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA-AA22-103A", "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"}, {"source_name": "Dragos-Pipedream", "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite\u2019s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en"}, {"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:48.321Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.(Citation: Dragos-Pipedream)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.(Citation: CISA-AA22-103A)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.(Citation: Wylie-22)", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702", "created": "2023-09-29T17:43:31.956Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:48.549Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--66d637a0-4874-4b12-bd3a-b408acb06d26", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:48.765Z", "description": "Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--66d8f3d7-68e0-48a0-a563-4746922080fc", "created": "2024-04-09T20:48:46.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:49.011Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68", "created": "2024-09-11T22:50:15.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Claroty Fuxnet 2024", "description": "Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.", "url": "https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:49.271Z", "description": "[Fuxnet](https://attack.mitre.org/software/S1157) initial execution relied on accessing external remote services for victim environments.(Citation: Claroty Fuxnet 2024)", "relationship_type": "uses", "source_ref": "malware--931e2489-8078-4f9f-85b2-a9211950e75b", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--66f79019-d52c-46a6-b605-c2335d1d3d20", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:49.483Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604) has the capability to stop a service itself, or to login as a user and stop a service as that user. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--671043a9-337f-411a-9ca9-3112e897ab09", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:49.722Z", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd", "created": "2023-09-29T18:02:52.119Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:49.950Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6795c92f-848f-488e-9c25-d240f99c9b34", "created": "2023-09-28T21:23:39.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:50.161Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab", "created": "2022-09-27T15:40:41.869Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "EyeofRa Detecting Hooking June 2017", "description": "Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017.", "url": "https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/"}, {"source_name": "Zairon Hooking Dec 2006", "description": "Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017.", "url": "https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/"}, {"source_name": "Microsoft Hook Overview", "description": "Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.", "url": "https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx"}, {"source_name": "PreKageo Winhook Jul 2011", "description": "Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.", "url": "https://github.com/prekageo/winhook"}, {"source_name": "Jay GetHooks Sept 2011", "description": "Satiro, J. (2011, September 14). GetHooks. Retrieved December 12, 2017.", "url": "https://github.com/jay/gethooks"}, {"source_name": "Volatility Detecting Hooks Sept 2012", "description": "Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.", "url": "https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:50.389Z", "description": "Monitor for API calls that can be used to install a hook procedure, such as the SetWindowsHookEx and SetWinEventHook functions.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Jeff Jones May 2018", "description": "Jeff Jones 2018, May 10 Dragos Releases Details on Suspected Russian Infrastructure Hacking Team ALLANITE Retrieved. 2020/01/03 ", "url": "https://www.eisac.com/public-news-detail?id=115909"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:50.595Z", "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized spear phishing to gain access into energy sector environments. (Citation: Jeff Jones May 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--67ae8423-c401-4c11-93d3-0454c288d934", "created": "2023-09-29T16:31:57.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:50.822Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--67dae594-4239-4756-a0bc-dee75de19e4c", "created": "2023-09-29T17:07:14.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:51.045Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--67e11f38-9f68-4989-8de3-da65af52063e", "created": "2023-03-30T19:24:54.896Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Industroyer2 ESET April 2022", "description": "ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.", "url": "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"}, {"source_name": "Industroyer2 Forescout July 2022", "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:51.272Z", "description": "[Industroyer2](https://attack.mitre.org/software/S1072) has the capability to poll a target device about its connection status, data transfer status, Common Address (CA), Information Object Addresses (IOAs), and IO state values across multiple priority levels.(Citation: Industroyer2 Forescout July 2022)(Citation: Industroyer2 ESET April 2022)", "relationship_type": "uses", "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:51.507Z", "description": "Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--685249f9-e51a-4914-8b7f-09679e04198b", "created": "2023-09-28T19:49:11.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:51.723Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--686cbd74-ef49-4e77-9599-21777d3a4738", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:51.936Z", "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1", "created": "2023-09-28T19:39:25.832Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:52.150Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44", "created": "2020-05-14T14:40:26.221Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Red Canary Hospital Thwarted Ryuk October 2020", "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"}, {"source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"}, {"source_name": "CrowdStrike Ryuk January 2019", "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"}, {"source_name": "FireEye KEGTAP SINGLEMALT October 2020", "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"}, {"source_name": "Microsoft Ransomware as a Service", "description": "Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.", "url": "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"}, {"source_name": "CrowdStrike Wizard Spider October 2020", "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/"}, {"source_name": "Sophos New Ryuk Attack October 2020", "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.", "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/"}, {"source_name": "Mandiant FIN12 Oct 2021", "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.", "url": "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf"}, {"source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/"}, {"source_name": "DFIR Ryuk in 5 Hours October 2020", "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.", "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/"}, {"source_name": "DFIR Ryuk's Return October 2020", "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", "url": "https://thedfirreport.com/2020/10/08/ryuks-return/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:20:55.390Z", "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)(Citation: Mandiant FIN12 Oct 2021)(Citation: Microsoft Ransomware as a Service)", "relationship_type": "uses", "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--68d30c45-766f-48b6-9405-0c969243332b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:52.510Z", "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6902da63-3b59-46f3-99e0-6008dd47ab70", "created": "2022-09-27T15:33:16.221Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:52.752Z", "description": "Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host\u2019s GUI.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:52.955Z", "description": "Monitor ICS automation protocols for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many protocols provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--692324b4-064a-430c-8ffc-7f7acd537778", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Symantec", "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", "url": "https://docs.broadcom.com/doc/w32-duqu-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:53.160Z", "description": "[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data in information repositories, including the Infostealer 2 module that can access data from Windows Shares.(Citation: Symantec)", "relationship_type": "uses", "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--692ff921-c74d-40a4-ab31-879aba5f247a", "created": "2023-09-29T16:42:01.287Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:53.380Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:53.587Z", "description": "Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--69889c90-e6d0-4007-9078-2bfbd7c18a91", "created": "2024-03-25T20:11:07.813Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA AA23-335A IRGC-Affiliated December 2023", "description": "DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"}, {"source_name": "Jamie Tarabay and Katrina Manson December 2023", "description": "Jamie Tarabay and Katrina Manson. (2023, December 22). Iranian-Linked Hacks Expose Failure to Safeguard US Water System. Retrieved March 25, 2024.", "url": "https://www.bloomberg.com/news/articles/2023-12-22/iranian-linked-hacks-expose-failure-to-safeguard-us-water-system"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:53.819Z", "description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) replaced the existing graphic on the [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002) with their own, thereby preventing PLC owners and operators from viewing PLC information on the HMI.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: Jamie Tarabay and Katrina Manson December 2023) ", "relationship_type": "uses", "source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "IEC February 2019", "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/34421"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:54.021Z", "description": "Provide the ability to verify the integrity of controller tasking. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--69cf4015-fae1-47f6-9253-1f99209288a5", "created": "2023-09-29T16:27:34.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:54.220Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--69d19946-72fb-40ce-90fb-0757df8353b5", "created": "2024-11-20T23:05:29.090Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos FROSTYGOOP 2024", "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:54.431Z", "description": "[FrostyGoop](https://attack.mitre.org/software/S1165) communicates using the Modbus protocol over the standard port of TCP 502.(Citation: Dragos FROSTYGOOP 2024)", "relationship_type": "uses", "source_ref": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820", "created": "2023-09-29T17:44:19.135Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:54.629Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6a476f56-2c07-43be-8054-d978ee8eb924", "created": "2023-09-29T16:42:12.160Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:54.854Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908", "created": "2023-03-30T19:25:53.572Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Industroyer2 Mandiant April 2022", "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks"}, {"source_name": "Industroyer2 Forescout July 2022", "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:55.057Z", "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", "relationship_type": "uses", "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:55.272Z", "description": "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d", "created": "2023-03-30T14:09:40.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:55.485Z", "description": "Monitor for device alarms produced when device management passwords are changed, although not all devices will produce such alarms.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6ad39b3a-a962-457f-852c-be7fc615e22f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:55.713Z", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72", "created": "2023-09-29T16:31:22.789Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:55.918Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6b0e8f60-ecdf-4140-9741-5b50df67353c", "created": "2024-03-25T20:06:37.050Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA AA23-335A IRGC-Affiliated December 2023", "description": "DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"}, {"source_name": "Lisa Zahner December 2023", "description": "Lisa Zahner. (2023, December 15). Hackers in Iran attack computer at Vero Utilities. Retrieved March 25, 2024.", "url": "https://veronews.com/2023/12/15/hackers-in-iran-attack-computer-at-vero-utilities/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:56.113Z", "description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) exploited devices connected to the public internet, such as internet connected Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) with [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002) and networking equipment such as cellular modems found in OT environments.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: Lisa Zahner December 2023)", "relationship_type": "uses", "source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6b54f354-9059-4366-8077-87360c4db2ab", "created": "2023-10-02T20:18:20.019Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:56.338Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:56.540Z", "description": "Only authorized personnel should be able to change settings for alarms.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:56.761Z", "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:56.985Z", "description": "Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal on Host Mitigation](https://attack.mitre.org/mitigations/T1070) and applicable sub-techniques.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6baa9172-04e4-416d-a009-668cda23fd5d", "created": "2021-10-08T15:25:32.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:57.213Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell with the following command: `set @s = master..xp _ cmdshell extrac32 /y +@t+ +@t+x; exec(@s);` (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:57.426Z", "description": "Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee", "created": "2022-09-29T14:26:04.715Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:57.666Z", "description": "Monitor network traffic for hardcoded credential use in protocols that allow unencrypted authentication.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:57.900Z", "description": "Utilize central storage servers for critical operations where possible (e.g., historians) and keep remote backups. For outstations, use local redundant storage for event recorders. Have backup control system platforms, preferably as hot-standbys to respond immediately to data destruction events. (Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6bf14e79-3287-4b9e-b222-9d527530df1e", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:58.129Z", "description": "Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows , or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6c15ec9f-2b48-419c-adc1-f989833f6187", "created": "2021-10-14T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:58.370Z", "description": "Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6c31c795-935a-41ad-8db1-d74430f4a553", "created": "2023-09-29T18:56:59.151Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:58.609Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4", "created": "2023-09-28T20:09:36.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:58.835Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e", "created": "2023-09-28T20:08:52.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:59.035Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:59.279Z", "description": "All remote services should require strong authentication before providing user access.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6d822f86-5793-403a-b176-5d533f6b81b3", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:59.500Z", "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through trojanized installers planted on compromised vendor sites. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "relationship_type": "uses", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5", "created": "2023-03-10T20:35:16.772Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:59.730Z", "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:02:59.940Z", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6e7e6dfa-99ed-4cf1-b836-16ad0ae0924b", "created": "2024-03-25T20:18:44.670Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:00.148Z", "description": "Monitor executed commands and associated arguments for application programs which support executing custom code, scripts, commands, or executables. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6eaf727c-fec3-4e63-8852-eee27c44d596", "created": "2022-09-27T15:23:19.486Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:00.398Z", "description": "Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f", "created": "2024-03-26T15:42:22.024Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:00.601Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6ed07095-c23a-4676-807f-a544deaeb274", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "McAfee Labs October 2019", "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us"}, {"source_name": "SecureWorks September 2019", "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:00.821Z", "description": "[REvil](https://attack.mitre.org/software/S0496) sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. (Citation: McAfee Labs October 2019) (Citation: SecureWorks September 2019)", "relationship_type": "uses", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:01.035Z", "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf", "created": "2023-09-29T17:41:50.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:01.272Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:01.498Z", "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6f2ddada-d7df-4788-b5d1-9add185142e0", "created": "2023-09-28T20:02:57.330Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:01.724Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e", "created": "2023-09-28T21:27:14.172Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:01.937Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6f950c91-125b-46a0-aa40-239b4de2306a", "created": "2023-09-28T21:14:03.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:02.130Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd", "created": "2024-09-11T23:00:00.833Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Claroty Fuxnet 2024", "description": "Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.", "url": "https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:02.333Z", "description": "[Fuxnet](https://attack.mitre.org/software/S1157) repeatedly wrote arbitrary data over the Meter-Bus channel from impacted devices to connected sensors to render sensor data acquisition useless.(Citation: Claroty Fuxnet 2024)", "relationship_type": "uses", "source_ref": "malware--931e2489-8078-4f9f-85b2-a9211950e75b", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:02.537Z", "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "relationship_type": "uses", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7", "created": "2023-03-30T19:25:22.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Industroyer2 Forescout July 2022", "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:02.767Z", "description": "[Industroyer2](https://attack.mitre.org/software/S1072) leverages a hardcoded list of remote-station IP addresses to iteratively initiate communications and collect information across multiple priority IEC-104 priority levels.(Citation: Industroyer2 Forescout July 2022)", "relationship_type": "uses", "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--70113c21-85f2-4232-8755-233f93864277", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:02.978Z", "description": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see [Service Stop Mitigation](https://attack.mitre.org/mitigations/T1489).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7041d8e5-3b74-402a-86b3-fd59def80632", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "M. Rentschler and H. Heine", "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", "url": "https://ieeexplore.ieee.org/document/6505877"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:03.179Z", "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:03.420Z", "description": "[Triton](https://attack.mitre.org/software/S1009) communicates with Triconex controllers using a custom component framework written entirely in Python. The modules that implement the TriStation communication protocol and other supporting components are found in a separate file -- library.zip -- the main script that employs this functionality is compiled into a standalone py2exe Windows executable -- trilog.exe which includes a Python environment. (Citation: DHS CISA February 2019)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--70a9010c-6943-4274-b854-50901c3e5a0e", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:03.639Z", "description": "Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:03.869Z", "description": "Monitor network traffic for default credential use in protocols that allow unencrypted authentication.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--71422483-33e4-4131-a4ec-40322d91d8a0", "created": "2019-06-24T17:20:24.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Catalin Cimpanu April 2016", "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"}, {"source_name": "Symantec June 2015", "description": "Symantec 2015, June 30 Simple steps to protect yourself from the Conficker Worm Retrieved. 2019/12/05 ", "url": "https://support.symantec.com/us/en/article.tech93179.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:04.077Z", "description": "[Conficker](https://attack.mitre.org/software/S0608) exploits Windows drive shares. Once it has infected a computer, [Conficker](https://attack.mitre.org/software/S0608) automatically copies itself to all visible open drive shares on other computers inside the network. (Citation: Symantec June 2015) Nuclear power plant officials suspect someone brought in [Conficker](https://attack.mitre.org/software/S0608) by accident on a USB thumb drive, either from home or computers found in the power plant's facility. (Citation: Catalin Cimpanu April 2016)", "relationship_type": "uses", "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977", "created": "2023-09-28T19:55:37.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:04.320Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:04.533Z", "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:04.796Z", "description": "To protect against AiTM, authentication mechanisms should not send credentials across the network in plaintext and should also implement mechanisms to prevent replay attacks (such as nonces or timestamps). Challenge-response based authentication techniques that do not directly send credentials over the network provide better protection from AiTM.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3", "created": "2024-09-11T23:00:48.583Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Claroty Fuxnet 2024", "description": "Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.", "url": "https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:04.999Z", "description": "[Fuxnet](https://attack.mitre.org/software/S1157) impaired sensor communication to impacted devices resulting in a loss of view condition for overall system monitoring.(Citation: Claroty Fuxnet 2024)", "relationship_type": "uses", "source_ref": "malware--931e2489-8078-4f9f-85b2-a9211950e75b", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7258c355-677c-452d-b1fc-27767232437b", "created": "2019-03-26T16:19:52.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019", "description": "David Voreacos, Katherine Chinglinsky, Riley Griffin 2019, December 03 Merck Cyberattacks $1.3 Billion Question: Was It an Act of War? Retrieved. 2019/12/06 ", "url": "https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:05.205Z", "description": "[NotPetya](https://attack.mitre.org/software/S0368) disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines. (Citation: David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019)", "relationship_type": "uses", "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--72bfda0b-31e9-4958-8d40-6efe816d9989", "created": "2022-09-27T15:32:03.332Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:05.417Z", "description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--730580d4-d68c-407f-9d09-f379e9aefc7e", "created": "2023-03-30T19:25:41.475Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Industroyer2 Forescout July 2022", "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:05.631Z", "description": "[Industroyer2](https://attack.mitre.org/software/S1072) uses a General Interrogation command to monitor the device\u2019s Information Object Addresses (IOAs) and their IO state values.(Citation: Industroyer2 Forescout July 2022)", "relationship_type": "uses", "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--73093c08-ea39-4956-8bff-55e15f6630cd", "created": "2023-09-28T20:07:59.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:05.863Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos", "description": "Dragos Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 Magnallium Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/magnallium/"}, {"source_name": "Symantec March 2019", "description": "Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 ", "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:06.078Z", "description": "[APT33](https://attack.mitre.org/groups/G0064) utilized PowerShell scripts to establish command and control and install files for execution. (Citation: Symantec March 2019) (Citation: Dragos)", "relationship_type": "uses", "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--73a48431-3597-4a72-acb8-c1e5019073e2", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Twitter ItsReallyNick Masquerading Update", "description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.", "url": "https://x.com/ItsReallyNick/status/1055321652777619457"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:06.311Z", "description": "Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.(Citation: Twitter ItsReallyNick Masquerading Update)", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148", "created": "2024-03-25T20:17:16.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:06.534Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--740082b7-2411-473a-a59d-4d46cf12f8b5", "created": "2023-09-29T18:45:01.516Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:06.769Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7411b05d-209a-4907-83ce-00ab1538fbac", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:06.974Z", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7", "created": "2023-09-29T17:57:23.090Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:07.186Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "MDudek-ICS", "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:07.420Z", "description": "[Triton](https://attack.mitre.org/software/S1009) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. (Citation: MDudek-ICS)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--74ec9ce5-3155-488c-ae56-570c47a1d207", "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "D. Parsons and D. Wylie September 2019", "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/"}, {"source_name": "Colin Gray", "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901"}, {"source_name": "Josh Rinaldi April 2016", "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/"}, {"source_name": "Aditya K Sood July 2019", "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/"}, {"source_name": "Langner November 2018", "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:07.643Z", "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:07.872Z", "description": "Execution prevention may block malicious software from accessing protected resources through the command line interface.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--754521fc-4306-4daa-831b-6b6fb45847e2", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "MITRE June 2020", "description": "MITRE 2020, June CWE CATEGORY: 7PK - API Abuse Retrieved. 2020/09/25 ", "url": "https://cwe.mitre.org/data/definitions/227.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:08.074Z", "description": "All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls. (Citation: MITRE June 2020)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7584e57f-1258-4c47-b18d-99019a586e6c", "created": "2023-09-28T21:16:35.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:08.328Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--758773e3-d23d-44db-b5d3-643cde5b41f1", "created": "2023-09-28T19:45:07.511Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:08.526Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--758d5818-f919-4a6b-9dc2-a212595a11bd", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:08.752Z", "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--75a60046-c4d7-498a-b256-9a93b5992dcc", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:08.958Z", "description": "Monitor for unusual processes with internal network connections creating files on-system which may be suspicious. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48", "created": "2023-09-29T17:06:33.098Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:09.180Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--75e6adae-06a7-47e9-878e-74ca73004c3b", "created": "2023-09-28T20:30:01.641Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:09.421Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--76537fd7-5782-4a8d-9b54-117b168a4306", "created": "2023-09-29T16:38:51.155Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:09.631Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:09.856Z", "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware. For added context on adversary procedures and background see [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) and applicable sub-techniques.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--77566f94-5e26-41c9-892f-2f62b395afe7", "created": "2023-09-28T20:01:43.057Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:10.076Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--77821dbb-367e-455f-bcae-b87412e88f1b", "created": "2022-09-26T16:56:53.939Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:10.317Z", "description": "Monitor asset management systems for device configuration changes which can be used to understand expected parameter settings.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--77f3a64d-227d-487f-8484-89007e05b59f", "created": "2023-09-28T21:16:14.153Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:10.528Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--78881a3d-59ad-4fbb-8bd2-69388a068584", "created": "2023-09-29T18:01:45.518Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:10.749Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631", "created": "2023-09-28T21:09:33.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:10.979Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--78972893-5d8c-480f-a05d-481adc0c8bb0", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:11.181Z", "description": "Monitor ICS automation network protocols for functions related to reading an asset\u2019s operating mode. In some cases, there may be multiple ways to detect a device\u2019s operating mode, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7912946d-1605-465a-a55c-36bb104235ab", "created": "2022-09-27T16:08:53.157Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:11.429Z", "description": "Monitor device alarms that indicate the program has changed, although not all devices produce such alarms.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--792324b4-064a-430c-8ffc-7f7acd537778", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Symantec", "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", "url": "https://docs.broadcom.com/doc/w32-duqu-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:11.665Z", "description": "[Duqu](https://attack.mitre.org/software/S0038)'s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.(Citation: Symantec)", "relationship_type": "uses", "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--79235599-e23f-43cb-9c56-1eb22b7c4664", "created": "2023-09-29T16:38:38.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:11.899Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--79324bdd-cdab-4d0a-af60-af1047c1d117", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:12.112Z", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--79407d1e-8e16-48c1-939c-ad92f91dd988", "created": "2023-09-29T16:30:19.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:12.327Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--798919d3-df8b-463f-b2be-4c1aa8089384", "created": "2021-10-14T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "North America Transmission Forum December 2019", "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:12.541Z", "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--798de2f3-218b-4622-a62c-84e3840d45a6", "created": "2023-09-29T18:00:10.845Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:12.762Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19", "created": "2023-09-29T16:32:22.510Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:12.990Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--79d05cb2-ded0-4847-b52e-af7af421f303", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kevin Savage and Branko Spasojevic", "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20190930124504/https:/www.symantec.com/security-center/writeup/2012-052811-0308-99"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:13.202Z", "description": "[Flame](https://attack.mitre.org/software/S0143) can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information. (Citation: Kevin Savage and Branko Spasojevic)", "relationship_type": "uses", "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4", "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:13.412Z", "description": "Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe). ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Hydro", "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/"}, {"source_name": "Kevin Beaumont", "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:13.651Z", "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of view which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", "relationship_type": "uses", "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978", "created": "2022-09-26T14:29:33.111Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:13.874Z", "description": "Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:14.092Z", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0", "created": "2023-09-29T16:33:23.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:14.317Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780", "created": "2023-09-28T19:45:42.727Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:14.536Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b", "created": "2023-09-29T17:39:54.089Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:14.746Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7bb1dbec-7314-479a-9496-86f8e25041eb", "created": "2023-09-29T16:40:43.415Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:14.965Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07", "created": "2023-09-29T18:49:01.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:15.169Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84", "created": "2023-09-28T20:07:15.553Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:15.437Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07", "created": "2023-03-31T17:45:32.860Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos Crashoverride 2018", "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:15.644Z", "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.(Citation: Dragos Crashoverride 2018)", "relationship_type": "uses", "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea", "created": "2023-09-28T20:07:01.309Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:15.875Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:16.097Z", "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c", "created": "2022-09-29T01:37:13.671Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}, {"source_name": "Brubaker-Incontroller", "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:16.338Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to download programs to Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:16.555Z", "description": "Consider removing or restricting features that are unnecessary to an asset's intended function within the control environment.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd", "created": "2022-09-27T15:27:00.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:16.766Z", "description": "Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7c329018-b591-42c4-8806-4d02ccd47476", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:16.975Z", "description": "Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:17.196Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604) toggles breakers to the open state utilizing unauthorized command messages. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23", "created": "2023-09-29T18:48:29.126Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:17.412Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95", "created": "2022-09-27T17:22:27.241Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:17.615Z", "description": "Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7c893581-c847-495a-aa93-9d98c516e1ae", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:17.887Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603)'s infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7cd47eb6-e73a-4a0b-a62e-7e066090b804", "created": "2024-03-27T19:55:40.243Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Mandiant-Sandworm-Ukraine-2022", "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.", "url": "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:18.083Z", "description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used the MicroSCADA SCIL-API to specify a set of SCADA instructions, including the sending of unauthorized commands to substation devices.(Citation: Mandiant-Sandworm-Ukraine-2022)", "relationship_type": "uses", "source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:18.320Z", "description": "Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7d2db896-3051-483c-bc53-ca21832ee085", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:18.520Z", "description": "Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:18.748Z", "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7d42ba22-9595-4463-8dda-c0e47a154fed", "created": "2023-09-28T20:07:48.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:18.952Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7d5759cd-890e-4ec5-b92b-aba225d52960", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:19.166Z", "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:19.400Z", "description": "Monitor executed commands and arguments to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may then perform these actions using [Valid Accounts](https://attack.mitre.org/techniques/T0859).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:19.600Z", "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7d752615-33f0-44ed-a156-25d84f384e75", "created": "2023-09-27T14:57:11.627Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:19.824Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), power company phone line operators were hit with a denial of service attack so that they couldn\u2019t field customers\u2019 calls about outages. Operators were also denied service to their downstream devices when their serial-to-ethernet converters had their firmware overwritten, which bricked the devices. (Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:20.034Z", "description": "Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see [System Network Configuration Discovery Mitigation](https://attack.mitre.org/mitigations/T1016) and [System Network Connections Discovery Mitigation](https://attack.mitre.org/mitigations/T1049).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7db9687b-7099-4cb6-a040-bc32fc549a81", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:20.268Z", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b", "created": "2024-04-09T20:53:54.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:20.498Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7dedeb73-ef90-4282-a635-cc37326773af", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:20.721Z", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7e87ce08-a428-4e55-876e-80d2760121a5", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:20.920Z", "description": "Monitor executed commands and arguments for actions that could be taken to collect internal data.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858", "created": "2023-09-29T16:32:46.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:21.134Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706", "created": "2023-09-28T20:28:16.122Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:21.376Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7", "created": "2023-09-29T17:43:22.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:21.575Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:21.789Z", "description": "Monitor for application logging, messaging, and/or other artifacts that may result from Denial of Service (DoS) attacks which degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3", "created": "2022-09-26T15:24:07.122Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:21.984Z", "description": "Monitor asset application logs which may provide information about requests for points or tags. Look for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many devices provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:22.214Z", "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:22.426Z", "description": "Limit privileges of user accounts and groups so that only designated administrators or engineers can interact with alarm management and alarm configuration thresholds.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Dan Goodin March 2017", "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:22.643Z", "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:22.903Z", "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:23.140Z", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--80a69b56-337d-446a-8167-8b9f63083c4f", "created": "2022-09-28T21:24:21.810Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA-AA22-103A", "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"}, {"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:23.373Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) includes a library that creates Modbus connections with a device to request its device ID.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b", "created": "2024-03-25T20:17:49.585Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:23.570Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--81055366-e78b-40e0-a799-4b536ba03db3", "created": "2023-09-29T18:45:22.474Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:23.776Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--81117328-e2bb-431c-a1ca-6ba7e6816637", "created": "2022-09-26T16:25:38.511Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:23.972Z", "description": "Consult asset management systems to understand expected program versions.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--81352e47-4317-45e3-88b9-a97dd2166727", "created": "2024-03-28T14:29:05.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye TRITON Dec 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \u201cTRITON\u201d and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:24.181Z", "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.(Citation: FireEye TRITON Dec 2017)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6", "created": "2023-09-28T20:11:42.579Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:24.426Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--81806f43-c9aa-486e-8032-4e4665ba0d39", "created": "2023-09-29T18:43:13.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:24.650Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32", "created": "2023-09-28T21:13:00.330Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:24.878Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--81add433-49d8-43ec-85d5-f48fe80e56e7", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:25.091Z", "description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--81ca994a-b350-424d-8f39-a0b64aa76260", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:25.325Z", "description": "Users can be trained to identify social engineering techniques and spearphishing emails.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--82b20c35-88c6-49aa-8241-a59512b17b74", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}, {"source_name": "Langer Stuxnet", "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:25.567Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened. (Citation: Langer Stuxnet)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:25.772Z", "description": "Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal on Host Mitigation](https://attack.mitre.org/mitigations/T1070) and applicable sub-techniques.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--83a964cb-730c-44e4-859b-b5246159396b", "created": "2023-09-29T17:59:43.275Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:25.998Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--83c29179-4805-403a-acf5-5151c4d2e556", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:26.229Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--83c8c216-7ff7-4bd3-9db4-573469628d95", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Joe Slowik August 2019", "description": "Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:26.438Z", "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SIPROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. (Citation: Joe Slowik August 2019)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:26.648Z", "description": "Monitor for newly constructed drive letters or mount points to removable media.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:26.883Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604) contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:27.085Z", "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--84671396-a556-4a5d-9bb9-cac697277371", "created": "2023-09-29T16:31:12.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:27.313Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65", "created": "2023-09-28T21:11:15.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:27.552Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--84fa50ff-bb84-4ab6-b759-658c57532c42", "created": "2023-09-29T16:32:09.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:27.783Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7", "created": "2023-09-29T18:01:32.878Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:28.038Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75", "created": "2023-09-29T17:59:22.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:28.278Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--856e18a8-df82-402a-9105-ff4b7e4caf12", "created": "2024-11-20T23:07:17.528Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos FROSTYGOOP 2024", "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"}, {"source_name": "Nozomi BUSTLEBERM 2024", "description": "Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024.", "url": "https://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:28.490Z", "description": "[FrostyGoop](https://attack.mitre.org/software/S1165) is compiled for Windows systems and leverages a Windows-based command line interface.(Citation: Dragos FROSTYGOOP 2024) Modbus interaction functionality is based off a publicly available Github repository for command line input.(Citation: Nozomi BUSTLEBERM 2024)", "relationship_type": "uses", "source_ref": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--868db512-b897-4a54-ae56-ac78f6c93a14", "created": "2022-09-28T20:29:18.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA-AA22-103A", "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"}, {"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:28.791Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use a Telnet session to load a malware implant on Omron PLCs.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc", "created": "2023-09-28T19:58:13.866Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:29.013Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:29.217Z", "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--86c94552-de59-453d-ac06-28a6a64db930", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:29.440Z", "description": "Monitor device application logs which may contain information related to operating mode changes, although not all devices produce such logs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:29.643Z", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c", "created": "2023-09-28T21:09:41.659Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:29.875Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:30.082Z", "description": "Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--86f1655a-db46-4d49-9051-6653da83eb13", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:30.320Z", "description": "Protect files with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--874752f4-59a2-46e9-ae28-befe0142b223", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:30.532Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a hardcoded password in the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--87c8ab74-576d-4962-b641-0762d374d1e8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:30.772Z", "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--87eb5825-c918-444f-8da5-67da9eea9906", "created": "2022-09-26T17:14:52.427Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:30.996Z", "description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:31.203Z", "description": "Some asset application logs may provide information on I/O points related to write commands. Monitor for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce", "created": "2022-09-27T15:25:50.596Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:31.430Z", "description": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2", "created": "2023-09-28T21:24:07.864Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:31.654Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--892c0bff-17b6-447b-a213-6a3189a1df82", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:32.003Z", "description": "Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--897cfc36-4253-4e1e-8825-726dbe9088a2", "created": "2023-09-28T19:55:02.944Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:32.235Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:32.445Z", "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd", "created": "2021-10-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:32.672Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects DLL's associated with the WinCC Simatic manager which are responsible for opening project files. If a user opens an uninfected project file using a compromised manager, the file will be infected with Stuxnet code. If an infected project is opened with the Simatic manager, the modified data file will trigger a search for the `xyz.dll` file. If the `xyz.dll` file is not found in any of the specified locations, the malicious DLL will be loaded and executed by the manager. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf", "created": "2023-03-30T19:01:40.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:32.878Z", "description": "Monitor for any suspicious attempts to enable scripts running on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:33.100Z", "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108", "created": "2023-09-29T16:42:43.736Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:33.311Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62", "created": "2023-09-27T14:50:09.612Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:33.511Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) moved their tools laterally within the ICS network. (Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c", "created": "2022-09-26T16:50:56.298Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:33.718Z", "description": "Monitor for a loss of network communications, which may indicate a device has been shutdown or restarted. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:33.911Z", "description": "Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Asset management systems should be consulted to understand known-good firmware versions and configurations.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8b17ad46-b0cc-4766-9cae-eba32260d468", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:34.111Z", "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "MDudek-ICS", "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:34.317Z", "description": "[Triton](https://attack.mitre.org/software/S1009) uses TriStations default UDP port, 1502, to communicate with devices. (Citation: MDudek-ICS)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8b491011-322d-4e0b-8f79-449e1b2ee185", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:34.529Z", "description": "Monitor newly constructed processes that assist in lateral tool transfers, such as file transfer programs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f", "created": "2023-09-27T14:49:29.987Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}, {"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:34.747Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) scheduled the uninterruptable power supplies (UPS) to shutdown data and telephone servers via the UPS management interface. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:34.951Z", "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4", "created": "2023-10-02T20:21:16.665Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:35.161Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:35.379Z", "description": "Monitor for unexpected deletion of files.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:35.566Z", "description": "Ensure remote commands that enable device shutdown are disabled if they are not necessary. Examples include DNP3's 0x0D function code or unnecessary device management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95", "created": "2023-09-28T20:31:46.082Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:35.783Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91", "created": "2023-09-27T14:49:48.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:35.985Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7", "created": "2023-09-28T21:25:20.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:36.191Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8da928a0-1c87-471f-aad7-5a1fdd438357", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:36.407Z", "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash, which may be recorded in the application log.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:36.627Z", "description": "Device restarts and shutdowns may be observable in device application logs. Monitor for unexpected device restarts or shutdowns.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "M. Rentschler and H. Heine", "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", "url": "https://ieeexplore.ieee.org/document/6505877"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:36.845Z", "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b", "created": "2023-09-29T17:05:44.653Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:37.044Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af", "created": "2023-03-30T19:04:30.392Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:37.229Z", "description": "Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:37.448Z", "description": "Using OPC, a component of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "relationship_type": "uses", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8", "created": "2023-03-30T19:00:57.773Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:37.662Z", "description": "Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.", "relationship_type": "mitigates", "source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f90363e-2825-4178-807f-9268a28760fa", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:37.867Z", "description": "Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f947e00-2579-4120-a8b0-d466e59fac1a", "created": "2023-09-28T19:49:25.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:38.068Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Dan Goodin March 2017", "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:38.275Z", "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8fcecf74-36df-41ab-9476-539c9ac0b339", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:38.494Z", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb", "created": "2023-09-29T17:04:17.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:38.724Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--90647f03-38a4-4364-a3af-53640a81360e", "created": "2023-03-31T18:11:19.943Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Joe Slowik August 2019", "description": "Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf"}, {"source_name": "US District Court Indictment GRU Unit 74455 October 2020", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", "url": "https://www.justice.gov/opa/press-release/file/1328521/download"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:31:40.365Z", "description": "(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Joe Slowik August 2019)", "relationship_type": "attributed-to", "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", "target_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6", "created": "2023-09-28T20:04:44.041Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:39.033Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654", "created": "2021-04-12T10:12:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html"}, {"source_name": "ICS-CERT August 2018", "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:39.267Z", "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "relationship_type": "uses", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--910bada1-c923-4009-a9ea-da257072f168", "created": "2023-09-29T16:29:27.902Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:39.456Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--91f29477-2ff6-4dbf-bf68-c8825a938851", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:39.638Z", "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:39.862Z", "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--92ea1c2a-3835-43de-bb56-24e937a6f322", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:40.082Z", "description": "Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (e.g., JScript.dll, vbscript.dll).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e", "created": "2023-09-29T17:38:40.536Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:40.317Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--93c336f2-7e7c-4c79-af16-faae03e66121", "created": "2023-09-29T18:44:09.293Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:40.516Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:40.724Z", "description": "[Triton](https://attack.mitre.org/software/S1009) is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. (Citation: DHS CISA February 2019)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--943a9a5c-7826-451d-ac73-34353ea40595", "created": "2023-09-29T16:33:36.496Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:40.934Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--94654460-b115-4056-beb1-e982ed33437b", "created": "2023-03-30T18:59:46.674Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:41.155Z", "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from the local system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)", "relationship_type": "mitigates", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--949b498c-ca3f-4704-90bd-a22a4d34067f", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:41.391Z", "description": "Monitor for loss of operational process data which could indicate alarms are being suppressed. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e", "created": "2022-09-27T15:48:55.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:41.596Z", "description": "Monitor device alarms that indicate controller task parameters have changed, although not all devices produce such alarms.\n \n[Program Download](https://attack.mitre.org/techniques/T0843) may be used to enable this technique. Monitor for program downloads which may be noticeable via operational alarms. Asset management systems should be consulted to understand expected program versions.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:41.817Z", "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "relationship_type": "uses", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6", "created": "2024-04-09T20:47:47.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:42.019Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d", "created": "2023-09-28T20:17:07.288Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:42.230Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--966b59c0-8641-432c-84f7-b2a712004d74", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:42.456Z", "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:42.723Z", "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8", "created": "2023-09-28T20:25:30.229Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:42.947Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--973f5884-a076-413e-ac96-f0bd01375fb6", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:43.154Z", "description": "Utilize code signatures to verify the integrity and authenticity of programs installed on safety or control assets, including the associated controller tasking.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--97538255-b049-4d15-91c4-6b227cbea476", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:43.371Z", "description": "Data about the industrial process may indicate it is operating outside of expected bounds and could help indicate that that an alarm setting has changed. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--97641754-f215-4b8f-b0cd-0d3142053c76", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "McAfee CHIPSEC Blog", "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/"}, {"source_name": "MITRE Copernicus", "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about"}, {"source_name": "Intel HackingTeam UEFI Rootkit", "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"}, {"source_name": "Github CHIPSEC", "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", "url": "https://github.com/chipsec/chipsec"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:43.569Z", "description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--97756c8a-b702-472b-8d67-15464a73093e", "created": "2023-09-27T14:56:28.962Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}, {"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:43.764Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [KillDisk](https://attack.mitre.org/software/S0607) rendered devices that were necessary for remote recovery unusable, including at least one RTU. Additionally, [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the firmware for serial-to-ethernet converters, denying operators control of the downstream devices. (Citation: Booz Allen Hamilton)(Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:43.954Z", "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:44.154Z", "description": "Monitor device application logs parameter changes, although not all devices will produce such logs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1", "created": "2023-09-29T16:40:54.250Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:44.374Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e", "created": "2023-09-29T16:41:32.631Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:44.581Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319", "created": "2023-09-29T18:47:52.800Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:44.807Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--982d0b4f-274a-4738-9262-57fc80d468f9", "created": "2024-03-26T15:41:51.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:45.001Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:45.188Z", "description": "Devices should authenticate all messages between master and outstation assets.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--984d517f-56a1-4eb4-95e5-994eb9c6c3b5", "created": "2024-03-27T20:46:21.569Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Mandiant-Sandworm-Ukraine-2022", "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.", "url": "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:45.412Z", "description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) executed a MicroSCADA application binary `scilc.exe` to send a predefined list of SCADA instructions specified in a file defined by the adversary, `s1.txt`. The executed command `C:\\sc\\prog\\exec\\scilc.exe -do pack\\scil\\s1.txt` leverages the SCADA software to send unauthorized command messages to remote substations.(Citation: Mandiant-Sandworm-Ukraine-2022)", "relationship_type": "uses", "source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d", "target_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--98567b03-7421-4761-8caa-cbea82d89fe3", "created": "2024-03-26T15:40:06.457Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:45.606Z", "description": "Configure operating systems to disable the autorun of any specific file types or drives.", "relationship_type": "mitigates", "source_ref": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", "target_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--98b229f8-6020-4fbb-b104-54fd478c14d9", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:45.836Z", "description": "Monitor logon sessions for default credential use.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:46.037Z", "description": "Set and enforce secure password policies for accounts.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:46.280Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of control. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--990f944f-190d-456d-b194-f5ecb17a0868", "created": "2019-06-24T17:20:24.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Catalin Cimpanu April 2016", "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:46.490Z", "description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to temporarily shutdown. (Citation: Catalin Cimpanu April 2016)", "relationship_type": "uses", "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134", "created": "2023-09-29T18:03:23.576Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:46.711Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--99c0c90e-8526-41d6-80ca-b037598c6326", "created": "2022-09-26T19:37:35.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:46.921Z", "description": "Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--99ec0a8e-4a4f-427c-89db-163e4b206021", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "M. Rentschler and H. Heine", "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", "url": "https://ieeexplore.ieee.org/document/6505877"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:47.107Z", "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f", "created": "2023-09-28T19:56:54.642Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:47.341Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--99fa6d92-0c41-44ed-bd30-dd0413785883", "created": "2023-09-29T18:43:23.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:47.537Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf", "created": "2023-09-28T20:04:32.626Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:47.761Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:47.976Z", "description": "Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9a55e351-d3b7-460a-9a9d-6714c00db5f0", "created": "2024-03-25T19:59:09.628Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CISA AA23-335A IRGC-Affiliated December 2023", "description": "DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:48.222Z", "description": "(Citation: CISA AA23-335A IRGC-Affiliated December 2023)", "relationship_type": "attributed-to", "source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", "target_ref": "intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:48.444Z", "description": "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9ad74496-e164-4068-a0f5-379f507ba864", "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:48.658Z", "description": "Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8", "created": "2023-09-29T18:58:05.958Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:48.878Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:49.070Z", "description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining access to valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos Xenotime 2018", "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", "url": "https://dragos.com/resource/xenotime/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:49.268Z", "description": "(Citation: Dragos Xenotime 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "target_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875", "created": "2023-09-28T19:37:35.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:49.479Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1", "created": "2023-09-28T20:11:52.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:49.669Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5", "created": "2023-09-28T19:59:44.009Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:49.859Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:50.052Z", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9cf83701-a347-47b4-a67b-280df95b275d", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:50.269Z", "description": "Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f", "created": "2022-09-27T18:40:11.818Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:50.487Z", "description": "In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:50.708Z", "description": "Alterations to the service binary path or the service startup type changed to disabled may be suspicious.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:50.900Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9d75333b-2542-4899-923f-55dc1e077a51", "created": "2022-09-27T16:03:41.224Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:51.099Z", "description": "Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3", "created": "2022-09-26T14:44:05.557Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:51.313Z", "description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9db1ecfe-72eb-42da-a09e-746663a53854", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "MDudek-ICS", "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:51.519Z", "description": "[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.(Citation: MDudek-ICS)\n\n[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.(Citation: MDudek-ICS)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9e0810a5-ad02-487f-b0a8-bf07decca493", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:51.731Z", "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:51.928Z", "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500", "created": "2023-09-29T18:07:28.902Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:52.125Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42", "created": "2021-01-04T21:30:14.830Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET Industroyer", "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}, {"source_name": "Dragos Crashoverride 2017", "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"}, {"source_name": "Dragos Crashoverride 2018", "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}, {"source_name": "mandiant_apt44_unearthing_sandworm", "description": "Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.", "url": "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"}, {"source_name": "Secureworks IRON VIKING", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:35:45.136Z", "description": "(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2017)(Citation: ESET Industroyer)(Citation: Secureworks IRON VIKING)(Citation: mandiant_apt44_unearthing_sandworm)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5", "created": "2022-09-27T16:38:57.931Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:52.423Z", "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9f2926a2-596f-459e-827e-6fe2d4646efd", "created": "2023-09-29T18:06:46.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:52.641Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9f43126d-5f6c-42a9-9908-49175c27ead7", "created": "2023-03-30T19:27:26.398Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Industroyer2 ESET April 2022", "description": "ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.", "url": "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"}, {"source_name": "mandiant_apt44_unearthing_sandworm", "description": "Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.", "url": "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:35:48.256Z", "description": "(Citation: Industroyer2 ESET April 2022)(Citation: mandiant_apt44_unearthing_sandworm)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3", "created": "2023-09-28T21:12:14.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:52.949Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:53.161Z", "description": "Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0604) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949", "created": "2023-09-27T14:48:40.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:53.416Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47", "created": "2023-09-28T20:04:19.147Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:53.610Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:53.816Z", "description": "Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a04169ed-c16b-466b-80ef-22a11067f475", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:54.013Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of view. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:54.224Z", "description": "Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CISA June 2013", "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:54.421Z", "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: CISA June 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a1454196-0d86-49f2-8dcb-61145a16b21e", "created": "2022-09-26T20:36:04.428Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:54.635Z", "description": "Monitor for files accessed on removable media, particularly those with executable content.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a15d718f-af30-4745-a837-887ba8f48727", "created": "2023-09-29T16:30:46.705Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:54.855Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos Inc. June 2017", "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:55.071Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604) has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files. (Citation: Dragos Inc. June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476", "created": "2023-09-29T16:43:16.472Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:55.269Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3", "created": "2023-09-29T16:28:17.629Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:55.467Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a2142552-6b8d-4751-a3d4-1471420c02fc", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:55.670Z", "description": "Monitor for newly constructed network connections into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp:3389 and tcp:22 for remote logins. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to enable remote logins.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039", "created": "2023-09-28T21:16:05.517Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:55.878Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a22fabd2-836e-4141-9219-c76cc10138ec", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:56.065Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b", "created": "2023-09-29T16:44:03.912Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:56.284Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d", "created": "2023-09-29T18:04:05.993Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:56.481Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:56.721Z", "description": "On Windows and Unix systems monitor executed commands and arguments that may use shell commands for execution. Shells may be common on administrator, developer, or power user systems depending on job function.\n\nOn network device and embedded system CLIs consider reviewing command history if unauthorized or suspicious commands were used to modify device configuration.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9", "created": "2023-09-29T16:36:28.818Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:56.945Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7", "created": "2023-09-29T16:39:54.248Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:57.163Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a45cec05-2d81-4db1-9267-db8be498e0d2", "created": "2023-09-29T16:46:50.699Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:57.362Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac", "created": "2023-09-29T17:40:58.726Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:57.565Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63", "created": "2023-09-29T17:57:44.978Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:57.777Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET Research Whitepapers September 2018", "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf"}, {"source_name": "Intel", "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf"}, {"source_name": "N/A", "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:57.968Z", "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5", "created": "2023-09-29T17:40:08.922Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:58.166Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:58.388Z", "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "relationship_type": "uses", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf", "created": "2023-09-27T14:45:26.126Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}, {"source_name": "Charles McLellan March 2016", "description": "Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023.", "url": "https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:58.585Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) remotely discovered operational assets once on the OT network. (Citation: Charles McLellan March 2016) (Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:58.780Z", "description": "Monitor for alarm setting changes observable in automation or management network protocols.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a6277ff6-9cdf-484f-a902-3f9442039905", "created": "2024-09-11T22:55:18.833Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Claroty Fuxnet 2024", "description": "Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.", "url": "https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:58.990Z", "description": "[Fuxnet](https://attack.mitre.org/software/S1157) shut down remote access services such as SSH, HTTP, telnet, and SNMP to a device along with deleting the routing table for routing devices to inhibit system accessibility and communication.(Citation: Claroty Fuxnet 2024)", "relationship_type": "uses", "source_ref": "malware--931e2489-8078-4f9f-85b2-a9211950e75b", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a6479493-6154-408f-90df-9d2f3ae352d1", "created": "2023-03-31T17:46:01.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos Crashoverride 2018", "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:59.266Z", "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems.(Citation: Dragos Crashoverride 2018)", "relationship_type": "uses", "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28", "created": "2021-04-13T12:28:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Davey Winder June 2020", "description": "Davey Winder 2020, June 10 Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations Retrieved. 2021/04/12 ", "url": "https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:59.465Z", "description": "[EKANS](https://attack.mitre.org/software/S0605) infection resulted in a temporary production loss within a Honda manufacturing plant. (Citation: Davey Winder June 2020)", "relationship_type": "uses", "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:59.704Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7", "created": "2023-09-29T17:05:56.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:03:59.902Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927", "created": "2023-03-30T14:08:06.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:00.124Z", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.", "relationship_type": "mitigates", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a72c212f-6d4f-4c5d-873d-afa42021024c", "created": "2024-03-26T15:42:10.203Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:00.313Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a731ad54-0c3c-47bb-9559-d99950782beb", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:00.526Z", "description": "Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:00.728Z", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a75ddacf-e87e-4a99-83f2-618486473163", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:00.928Z", "description": "Patch the BIOS and EFI as necessary.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a78e727c-8e42-448c-beb4-463804e18be0", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:01.131Z", "description": "Minimize permissions and access for service accounts to limit impact of exploitation. (Citation: Keith Stouffer May 2015)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac", "created": "2023-09-28T19:41:16.927Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:01.326Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393", "created": "2022-09-26T14:43:24.136Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Elastic - Koadiac Detection with EQL", "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.", "url": "https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:01.540Z", "description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:01.767Z", "description": "Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:01.971Z", "description": "All field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a", "created": "2022-09-29T14:27:05.757Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:02.178Z", "description": "Monitor logon sessions for hardcoded credential use, when feasible.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:02.422Z", "description": "Consider utilizing jump boxes for external remote access. Additionally, dynamic account management may be used to easily remove accounts when not in use.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:02.626Z", "description": "Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8", "created": "2021-04-11T14:06:54.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ICS CERT September 2018", "description": "ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05 ", "url": "https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B"}, {"source_name": "ICS-CERT December 2014", "description": "ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11 ", "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:02.855Z", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. (Citation: ICS-CERT December 2014) (Citation: ICS CERT September 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:03.070Z", "description": "Consider removal of remote services which are not regularly in use, or only enabling them when required (e.g., vendor remote access). Ensure all external remote access point (e.g., jump boxes, VPN concentrator) are configured with least functionality, especially the removal of unnecessary services. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1", "created": "2023-09-28T20:28:27.970Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:03.314Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a86cee0a-dc49-4c95-b5dc-37405337490b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:03.514Z", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a91002fe-21b2-4417-9c23-af712a7a035c", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:03.727Z", "description": "Utilize code signatures to verify the integrity and authenticity of programs installed on safety or control assets.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a91295dc-b381-4dc9-9384-9f9949066778", "created": "2023-09-29T18:42:18.446Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:03.935Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a93ba793-24dd-47dd-b32c-4c3016124c90", "created": "2023-09-29T18:43:02.969Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:04.140Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "MDudek-ICS", "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:04.390Z", "description": "[Triton](https://attack.mitre.org/software/S1009) calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. (Citation: MDudek-ICS)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aa205915-7571-47ee-8bc6-5aa1ace86690", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:04.596Z", "description": "Devices may produce alarms about restarts or shutdowns. Monitor for unexpected device restarts or shutdowns.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91", "created": "2022-09-26T16:35:07.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:04.805Z", "description": "Monitor for new master devices communicating with outstations, which may be visible in alarms within the ICS environment.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba", "created": "2023-09-29T17:42:56.284Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:04.996Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa", "created": "2023-03-30T19:03:59.066Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:05.230Z", "description": "Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:05.429Z", "description": "Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ab0b5170-577b-491e-8508-b9a34dc393c1", "created": "2022-09-27T16:22:57.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:05.628Z", "description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs. Data from these platforms can be used to identify modified controller programs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ab306654-2abb-4983-8d30-df4058adb06c", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Selena Larson, Camille Singleton December 2020", "description": "Selena Larson, Camille Singleton 2020, December RANSOMWARE IN ICS ENVIRONMENTS Retrieved. 2021/04/12 ", "url": "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf?utm_referrer=https%3A%2F%2Fwww.dragos.com%2Fresource%2Fransomware-in-ics-environments%2F"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:05.817Z", "description": "The [REvil](https://attack.mitre.org/software/S0496) malware gained access to an organizations network and encrypted sensitive files used by OT equipment. (Citation: Selena Larson, Camille Singleton December 2020)", "relationship_type": "uses", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b", "created": "2023-09-29T17:37:50.048Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:06.042Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:06.270Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e", "created": "2023-09-29T17:37:16.719Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:06.487Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed", "created": "2023-09-28T19:41:30.623Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:06.728Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ab8e129c-5411-4784-9194-068fa915da23", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov", "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:06.928Z", "description": "[KillDisk](https://attack.mitre.org/software/S0607) deletes application, security, setup, and system event logs from Windows systems. (Citation: Anton Cherepanov)", "relationship_type": "uses", "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291", "created": "2023-10-02T20:20:19.426Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:07.145Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ac7b64c8-cac9-4efb-990e-eed5e7fb35ee", "created": "2024-11-20T23:26:28.979Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos FROSTYGOOP 2024", "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:07.373Z", "description": "During [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041), the adversary initiated a firmware downgrade on impacted devices.(Citation: Dragos FROSTYGOOP 2024)", "relationship_type": "uses", "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ac933d76-8207-4bf7-add2-92b60cf3044b", "created": "2023-09-28T20:04:54.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:07.564Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--acace658-da7e-4a19-aa98-8aec8c966dde", "created": "2023-09-27T14:53:03.323Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:07.778Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application. (Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ad7770c3-fe24-4285-9ce2-1616a1061472", "created": "2019-04-17T14:45:59.681Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "FireEye FIN6 Apr 2019", "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:39:22.852Z", "description": "(Citation: FireEye FIN6 Apr 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:08.056Z", "description": "Monitor network traffic for anomalies associated with known AiTM behavior. For Collection activity where transmitted data is not manipulated, anomalies may be present in network management protocols (e.g., ARP, DHCP).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:08.275Z", "description": "Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. (Citation: Karen Scarfone; Paul Hoffman September 2009)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b", "created": "2023-09-28T21:12:39.257Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:08.481Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ade12d27-13bb-4ebf-be08-7039cf699682", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:08.707Z", "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--adf2072c-0341-4fc2-9d25-495b4af864e9", "created": "2023-03-10T20:09:22.370Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:08.919Z", "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary temporarily shut an investigator out of the network preventing them from issuing any controls.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ae10e97a-90ac-498b-8601-01081dc4af8b", "created": "2021-04-12T18:59:17.429Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:09.130Z", "description": "Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc", "created": "2023-09-28T19:50:14.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:09.371Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:09.574Z", "description": "Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c", "created": "2023-03-10T20:36:34.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:09.798Z", "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--af20f409-05ed-42c3-ae3e-09b047b84875", "created": "2023-09-25T20:49:25.308Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:09.998Z", "description": "All field controllers should require that user authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies,\u00a0Password Policies, and\u00a0User Account Management.", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:10.199Z", "description": "Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379", "created": "2023-09-28T21:17:32.313Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:10.410Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d", "created": "2023-09-29T16:44:42.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:10.609Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "M. Rentschler and H. Heine", "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", "url": "https://ieeexplore.ieee.org/document/6505877"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:10.861Z", "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:11.078Z", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1", "created": "2023-09-29T17:37:41.336Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:11.313Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1", "created": "2023-09-29T16:40:30.440Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:11.511Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b05d678b-4d87-4261-9366-f8b757a77661", "created": "2024-03-28T14:27:51.356Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye TRITON Dec 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \u201cTRITON\u201d and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:11.724Z", "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) would programmatically return the controller to a normal running state if the [Triton](https://attack.mitre.org/software/S1009) malware failed. If the controller could not recover in a defined time window, [TEMP.Veles](https://attack.mitre.org/groups/G0088) programmatically overwrote their malicious program with invalid data.(Citation: FireEye TRITON Dec 2017)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7", "created": "2022-09-27T15:30:18.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:11.923Z", "description": "Monitor logs from installed applications (e.g., historian logs) for unexpected commands or abuse of system features.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b07e6896-a840-49a1-8d58-94396a902b95", "created": "2023-03-31T17:56:07.978Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET Industroyer", "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:12.125Z", "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) supplied the name of the payload DLL to [Industroyer](https://attack.mitre.org/software/S0604) via a command line parameter.(Citation: ESET Industroyer)", "relationship_type": "uses", "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1", "created": "2023-09-28T21:21:18.081Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:12.342Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:12.538Z", "description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:12.743Z", "description": "Monitor for device alarms produced when parameters are changed, although not all devices will produce such alarms.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:12.967Z", "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b13417ea-d8da-497f-818f-d2d90562039a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:13.168Z", "description": "Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b1768154-221c-48be-ab2b-549ec1eddafb", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"}, {"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}, {"source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:13.395Z", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec", "created": "2022-09-26T15:38:45.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:13.597Z", "description": "Monitor for loss of expected device alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b1921480-8499-46a9-8396-2a2d747c5861", "created": "2023-09-28T19:58:00.892Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:13.826Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:14.030Z", "description": "If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b21e0340-976d-44b2-94ae-f777199993c6", "created": "2023-09-28T19:39:00.326Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:14.229Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov", "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:14.424Z", "description": "[KillDisk](https://attack.mitre.org/software/S0607) is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. (Citation: Anton Cherepanov)", "relationship_type": "uses", "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b259c196-2a23-4173-9ed5-aae1c948579e", "created": "2024-03-25T20:19:03.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:14.627Z", "description": "Monitor for unusual processes execution, especially for processes that allow the proxy execution of malicious files.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a", "created": "2023-09-28T21:10:50.480Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:14.850Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "D. Parsons and D. Wylie September 2019", "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/"}, {"source_name": "Colin Gray", "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901"}, {"source_name": "Josh Rinaldi April 2016", "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/"}, {"source_name": "Aditya K Sood July 2019", "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/"}, {"source_name": "Langner November 2018", "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:15.061Z", "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "DHS National Urban Security Technology Laboratory April 2019", "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:15.268Z", "description": "Techniques can include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f", "created": "2023-09-29T17:42:11.005Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:15.471Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b33f2abc-a218-425b-9a90-b75445b7e142", "created": "2023-09-29T18:05:51.795Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:15.729Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b343e131-e448-46c6-815b-b86e4bd6d638", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos Threat Intelligence August 2019", "description": "Dragos Threat Intelligence 2019, August Global Oil and Gas Cyber Threat Perspective Retrieved. 2020/01/03 ", "url": "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:15.914Z", "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) targeted several ICS vendors and manufacturers. (Citation: Dragos Threat Intelligence August 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b346eec8-de90-407c-b665-387086bb4553", "created": "2022-09-29T01:36:02.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}, {"source_name": "Brubaker-Incontroller", "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:16.120Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to upload programs from Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can obtain existing program logic from Omron PLCs by using either the program upload or backup functions available through the HTTP server.(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa", "created": "2017-05-31T21:33:27.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "iSIGHT Sandworm 2014", "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"}, {"source_name": "F-Secure BlackEnergy 2014", "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"}, {"source_name": "US District Court Indictment GRU Unit 74455 October 2020", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", "url": "https://www.justice.gov/opa/press-release/file/1328521/download"}, {"source_name": "UK NCSC Olympic Attacks October 2020", "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games"}, {"source_name": "Secureworks IRON VIKING ", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:40:57.405Z", "description": "(Citation: iSIGHT Sandworm 2014)(Citation: F-Secure BlackEnergy 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b352884f-2a60-41c6-b348-0bbb5859802a", "created": "2023-09-28T20:01:52.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:16.436Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:16.649Z", "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b37844c1-0338-44f6-9116-48fa0f079913", "created": "2023-09-29T17:41:11.611Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:16.850Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Chris Bing May 2018", "description": "Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03 ", "url": "https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:17.043Z", "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilizes watering hole websites to target industrial employees. (Citation: Chris Bing May 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2", "created": "2023-09-28T19:48:58.160Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:17.270Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b3b24837-83ed-46c5-ba80-66a832c7072e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:17.458Z", "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:17.660Z", "description": "Monitor ICS management protocols for parameter changes, including for unexpected values, changes far exceeding standard values, or for parameters being changed in an unexpected way (e.g., via a new function, at an unusual time).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08", "created": "2023-09-28T20:02:20.170Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:17.889Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov", "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:18.084Z", "description": "[KillDisk](https://attack.mitre.org/software/S0607) looks for and terminates two non-standard processes, one of which is an ICS application. (Citation: Anton Cherepanov)", "relationship_type": "uses", "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:18.309Z", "description": "Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3", "created": "2023-03-30T18:59:30.677Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:18.517Z", "description": "Develop and publish policies that define acceptable information to be stored on local systems.", "relationship_type": "mitigates", "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b48be9f9-de0e-4548-ade3-09d47af52798", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:18.721Z", "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if command messages are blocked.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3", "created": "2022-09-27T17:37:02.670Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nzyme Alerts Intro", "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved November 17, 2024.", "url": "https://docs.nzyme.org/wifi/monitoring/network-monitoring/"}, {"source_name": "Wireless Intrusion Detection", "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.", "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:18.927Z", "description": "Purely passive network sniffing cannot be detected effectively. In cases where the adversary interacts with the wireless network (e.g., joining a Wi-Fi network) detection may be possible. Monitor for new or irregular network traffic flows which may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa", "created": "2023-09-29T17:45:55.581Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:19.116Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1", "created": "2023-03-10T20:10:23.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:19.310Z", "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary falsified network addresses in order to send false data and instructions to pumping stations.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b5979643-fefb-460f-b59c-971efe95f121", "created": "2022-09-27T16:57:48.758Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:19.508Z", "description": "Monitor for changes made to services that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b59a96e4-bd70-4459-9609-66563bccd9c3", "created": "2023-09-29T16:38:21.688Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:19.725Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Hydro", "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/"}, {"source_name": "Kevin Beaumont", "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:19.939Z", "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of control which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", "relationship_type": "uses", "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:20.134Z", "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:20.378Z", "description": "Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b628d878-4f35-4580-8d42-26984d13821e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:20.585Z", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b6309476-8268-4c47-920b-8a556cd8ae4c", "created": "2023-09-29T18:47:07.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:20.814Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b69905bd-6865-4092-9543-47bd9ae318ec", "created": "2023-09-28T19:54:22.618Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:20.999Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CISA June 2013", "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:21.189Z", "description": "Ensure that applications and devices do not store sensitive data or credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). (Citation: CISA June 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b7284360-0d80-45bb-8486-263ae8f8fa63", "created": "2023-09-28T21:26:01.106Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:21.421Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:21.649Z", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b7344dfb-621b-4558-ab22-6c1f256ee746", "created": "2023-09-29T16:46:27.408Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:21.886Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2", "created": "2023-09-29T18:57:10.064Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:22.081Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:22.281Z", "description": "Monitor for unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586", "created": "2023-09-28T19:51:42.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:22.505Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b7f23af2-e948-4531-af56-1a1b4d03702f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:22.734Z", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e", "created": "2023-09-29T18:42:53.573Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:22.938Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b8b1739d-dfa2-44e9-907f-7085e262512f", "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:23.123Z", "description": "Monitor login sessions for new or unexpected devices or sessions on wireless networks.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:23.331Z", "description": "Monitor for network traffic originating from unknown/unexpected systems.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:23.566Z", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd", "created": "2021-10-14T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:23.767Z", "description": "Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:23.961Z", "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:24.167Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:24.380Z", "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b9e82422-b072-494f-99c1-fcab07b90133", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:24.573Z", "description": "Require signed binaries.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:24.803Z", "description": "Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c", "created": "2023-09-28T21:28:36.325Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:25.010Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a", "created": "2023-09-28T20:03:54.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:25.206Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7", "created": "2023-09-29T18:49:34.208Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:25.429Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341", "created": "2024-03-25T20:17:36.433Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:25.662Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--baf4bd30-4213-43c3-b70c-54418e734caf", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:25.877Z", "description": "Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--baf7daf3-2116-4051-91b5-f82e146167d0", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:26.100Z", "description": "Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259", "created": "2023-09-29T16:45:08.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:26.310Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc", "created": "2023-09-28T19:53:44.848Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:26.525Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:26.729Z", "description": "Devices should authenticate all messages between master and outstation assets.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:26.965Z", "description": "Use least privilege for service accounts. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bc383819-2e40-49b4-bea9-95eb5d418877", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:27.159Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a thread to monitor a data block DB890 of sequence A or B. This thread is constantly running and probing this block (every 5 minutes). On an infected PLC, if block DB890 is found and contains a special magic value (used by Stuxnet to identify his own block DB890), this blocks data can be read and written. This thread is likely used to optimize the way sequences A and B work, and modify their behavior when the Step7 editor is opened. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9", "created": "2023-09-28T21:22:21.776Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:27.370Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:27.561Z", "description": "Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:27.786Z", "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:27.985Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a", "created": "2023-09-28T21:16:24.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:28.188Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bd869385-5778-4303-8993-cc6412d12303", "created": "2023-09-29T18:45:59.108Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:28.405Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:28.592Z", "description": "Deploy anti-virus on all systems that support external email.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:28.817Z", "description": "Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--be0f7d83-2441-4259-b411-46e0d10566b1", "created": "2023-10-02T20:23:24.179Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:29.045Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--be532c78-daf5-431b-adae-ab11af395513", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:29.267Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--be950e87-80ac-49ea-810a-553c7f72151b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:29.476Z", "description": "Devices should authenticate all messages between master and outstation assets.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2", "created": "2023-09-28T20:31:17.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:29.670Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bf0e7347-1636-4b5e-9e2a-8b93177e5f85", "created": "2024-03-28T14:27:09.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye TRITON 2018", "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:29.874Z", "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) used valid credentials when laterally moving through RDP jump boxes into the ICS environment.(Citation: FireEye TRITON 2018)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76", "created": "2023-09-29T16:46:12.472Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:30.059Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:30.272Z", "description": "Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bf8e68fe-1969-48d1-be0e-ec742378748d", "created": "2023-09-29T18:56:34.302Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:30.459Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302", "created": "2023-09-29T18:06:02.077Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:30.650Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bf9f227c-e306-4257-add1-39c7c2e42040", "created": "2023-09-29T18:47:28.758Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:30.863Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1", "created": "2020-09-22T19:41:27.951Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Secureworks REvil September 2019", "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware"}, {"source_name": "Secureworks GandCrab and REvil September 2019", "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.", "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:44:11.710Z", "description": "(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bffad8de-a807-4216-9753-008a87d9d77f", "created": "2023-09-28T19:56:40.730Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:31.162Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef", "created": "2023-09-28T21:17:47.080Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:31.380Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c0efb24a-2329-401a-bba6-817f2867bb3f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:31.571Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f", "created": "2023-03-10T20:34:55.362Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:31.814Z", "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary suppressed alarm reporting to the central computer.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CopyFromScreen .NET", "description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.", "url": "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8"}, {"source_name": "Antiquated Mac Malware", "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:32.003Z", "description": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) The data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c137fcd2-ce51-4e17-9c2f-f1aaf9b64ce7", "created": "2024-03-28T14:28:47.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye TEMP.Veles 2018", "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:32.208Z", "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) made attempts on multiple victim machines to transfer and execute the WMImplant tool.(Citation: FireEye TEMP.Veles 2018)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:32.422Z", "description": "Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2", "created": "2023-09-29T18:09:02.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:32.619Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553", "created": "2023-09-29T17:09:48.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:32.817Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5", "created": "2023-09-29T16:28:39.397Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:33.039Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c233df49-e450-4151-8a0f-1765faf3d75a", "created": "2023-09-29T17:08:08.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:33.275Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2", "created": "2023-03-10T20:09:49.009Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:33.468Z", "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f", "created": "2023-09-29T17:59:54.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:33.667Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:33.876Z", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac", "created": "2021-04-13T12:28:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos Threat Intelligence February 2020", "description": "Dragos Threat Intelligence 2020, February 03 EKANS Ransomware and ICS Operations Retrieved. 2021/04/12 ", "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:34.072Z", "description": "[EKANS](https://attack.mitre.org/software/S0605) masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. (Citation: Dragos Threat Intelligence February 2020)", "relationship_type": "uses", "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c37f097a-9698-412f-9e96-4d350bcd2790", "created": "2023-09-29T16:44:26.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:34.277Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608", "created": "2023-09-29T18:49:14.639Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:34.465Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c4122b58-f1b2-4656-a715-55016700bf75", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:34.668Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604) automatically collects protocol object data to learn about control devices in the environment. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b", "created": "2023-10-02T20:21:06.420Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:34.889Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa", "created": "2022-09-27T16:35:12.372Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:35.106Z", "description": "Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c4718fa2-2592-44b0-87d0-f866c118a779", "created": "2023-09-29T18:07:09.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:35.331Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:35.523Z", "description": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c4a50132-a210-4093-878d-3d6df23ed26e", "created": "2023-09-29T17:10:09.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:35.724Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37", "created": "2023-09-28T20:15:05.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:35.927Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c4dd7251-ed87-4629-86b5-090e52a82df2", "created": "2024-04-09T21:00:32.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:36.124Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Robert Falcone, Bryan Lee May 2016", "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:36.324Z", "description": "[OilRig](https://attack.mitre.org/groups/G0049) has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.(Citation: Robert Falcone, Bryan Lee May 2016)", "relationship_type": "uses", "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c58563a8-d757-4476-8ae2-beb2acce38b3", "created": "2023-10-02T20:20:55.473Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:36.530Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c596f45a-ad65-4673-b316-05378175f35e", "created": "2024-04-09T20:54:19.196Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:36.745Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a", "created": "2019-03-25T19:13:54.947Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:36.946Z", "description": "[WannaCry](https://attack.mitre.org/software/S0366) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", "relationship_type": "uses", "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd", "created": "2023-09-29T18:43:49.839Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:37.152Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16", "created": "2020-06-10T18:36:54.638Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro Cyclops Blink March 2022", "description": "Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.", "url": "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"}, {"source_name": "NCSC Sandworm Feb 2020", "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory"}, {"source_name": "mandiant_apt44_unearthing_sandworm", "description": "Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.", "url": "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"}, {"source_name": "US District Court Indictment GRU Unit 74455 October 2020", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", "url": "https://www.justice.gov/opa/press-release/file/1328521/download"}, {"source_name": "Secureworks IRON VIKING ", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking"}, {"source_name": "UK NCSC Olympic Attacks October 2020", "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:45:51.619Z", "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )(Citation: Trend Micro Cyclops Blink March 2022)(Citation: mandiant_apt44_unearthing_sandworm)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c5fd0969-c151-4849-94c2-83e2e208cff7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:37.454Z", "description": "Ensure that wired and/or wireless traffic is encrypted when feasible. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. (Citation: Keith Stouffer May 2015)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:37.666Z", "description": "Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.\n\nVarious techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:37.879Z", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c6520346-fe47-44ce-af75-d99004ac2977", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:38.096Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:38.318Z", "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36", "created": "2023-09-28T21:27:50.246Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:38.535Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4", "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:38.754Z", "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information Mitigation](https://attack.mitre.org/mitigations/T1140) in payloads.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c67e3535-69a9-4234-8170-4ad6efc632b7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "OWASP", "description": "OWASP Top 10 Web Application Security Risks Retrieved. 2020/09/25 ", "url": "https://owasp.org/www-project-top-ten/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:38.956Z", "description": "Implement continuous monitoring of vulnerability sources. Also, use automatic and manual code review tools. (Citation: OWASP)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:39.146Z", "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8", "created": "2023-09-29T17:59:11.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:39.381Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374", "created": "2022-09-26T14:35:27.430Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:39.579Z", "description": "Monitor for new or unexpected connections to controllers, which could indicate an Unauthorized Command Message being sent via [Rogue Master](https://attack.mitre.org/techniques/T0848).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:39.776Z", "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:39.976Z", "description": "When at rest, project files should be encrypted to prevent unauthorized changes. (Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ACSC Email Spoofing", "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf"}, {"source_name": "Microsoft Anti Spoofing", "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:40.173Z", "description": "Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Karen Scarfone; Paul Hoffman September 2009", "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"}, {"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}, {"source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:40.372Z", "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c8222300-6c5e-42d6-ae67-3595407b89fd", "created": "2024-04-09T20:54:39.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:40.569Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c", "created": "2022-05-06T17:47:21.168Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Carl Hurd March 2019", "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", "url": "https://www.youtube.com/watch?v=yuZazP22rpI"}, {"source_name": "William Largent June 2018", "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:40.783Z", "description": "The [VPNFilter](https://attack.mitre.org/software/S1010)'s ssler module configures the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", "relationship_type": "uses", "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6", "created": "2021-04-12T17:00:17.249Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Robert A. Martin January 2021", "description": "Robert A. Martin 2021, January TRUSTING OUR SUPPLY CHAINS: A COMPREHENSIVE DATA-DRIVEN APPROACH Retrieved. 2021/04/12 ", "url": "https://www.mitre.org/sites/default/files/publications/pr-20-01465-37-trusting-our-supply-chains-a-comprehensive-data-driven-approach.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:40.969Z", "description": "A supply chain management program should include methods the assess the trustworthiness and technical maturity of a supplier, along with technical methods (e.g., code-signing, bill of materials) needed to validate the integrity of newly obtained devices and components. Develop procurement language that emphasizes the expectations for suppliers regarding the artifacts, audit records, and technical capabilities needed to validate the integrity of the devices supply chain. (Citation: Robert A. Martin January 2021)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c8dd2735-bd04-4413-847d-316b77c6de19", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:41.166Z", "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a", "created": "2023-09-27T13:22:13.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:46:37.915Z", "description": "(Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c9065f74-556d-4728-8072-f96642e70316", "created": "2021-04-12T18:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:41.466Z", "description": "Access Management technologies can help enforce authentication on critical remote service, examples include, but are not limited to, device management services (e.g., telnet, SSH), data access servers (e.g., HTTP, Historians), and HMI sessions (e.g., RDP, VNC).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureWorks September 2019", "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware"}, {"source_name": "Tom Fakterman August 2019", "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:41.652Z", "description": "[REvil](https://attack.mitre.org/software/S0496) sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. (Citation: Tom Fakterman August 2019) (Citation: SecureWorks September 2019)", "relationship_type": "uses", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:41.865Z", "description": "Provide an alternative method for alarms to be reported in the event of a communication failure.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c95850f4-4616-435c-b237-f1985833d40e", "created": "2023-09-29T16:29:39.918Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:42.076Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c9fb4adb-8064-426a-838d-c93674fb380b", "created": "2023-09-29T18:44:38.035Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:42.312Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:42.511Z", "description": "Monitor for processes spawning from known command shell applications (e.g., PowerShell, Bash). Benign activity will need to be allow-listed. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca13a117-aae0-4802-878b-c09f4a04dd31", "created": "2023-09-28T20:06:50.018Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:42.722Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca225ea0-e813-4205-98db-707b474ae24f", "created": "2024-04-09T20:49:44.575Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:42.923Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Anton Cherepanov, ESET June 2017", "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:43.126Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca5c7ae7-5273-4888-bc50-183d6e200972", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:43.337Z", "description": "Built-in browser sandboxes and application isolation may be used to contain web-based malware.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca64a927-f050-41b3-80d3-93d22cdef26a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:43.547Z", "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca768c2a-0f14-471c-90a5-bce649e88d51", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:43.758Z", "description": "Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Carl Hurd March 2019", "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", "url": "https://www.youtube.com/watch?v=yuZazP22rpI"}, {"source_name": "William Largent June 2018", "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:43.976Z", "description": "The [VPNFilter](https://attack.mitre.org/software/S1010) packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", "relationship_type": "uses", "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b", "created": "2021-10-04T20:52:20.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "ESET Lazarus KillDisk April 2018", "description": "K\u00e1lnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", "url": "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:47:12.098Z", "description": "(Citation: ESET Lazarus KillDisk April 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:44.309Z", "description": "Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:44.524Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd", "created": "2023-09-28T21:14:29.099Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:44.717Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:44.933Z", "description": "Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794", "created": "2023-03-30T14:08:42.386Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "M. Rentschler and H. Heine", "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", "url": "https://ieeexplore.ieee.org/document/6505877"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:45.138Z", "description": "Retain cold-standby or replacement hardware of similar models to ensure continued operations of critical functions if the primary system is compromised or unavailable. (Citation: M. Rentschler and H. Heine)", "relationship_type": "mitigates", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cba8313b-c338-45f7-88ef-a514094882ac", "created": "2022-09-28T20:28:39.348Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:45.380Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to exploit a vulnerable Asrock driver (AsrDrv103.sys) using CVE-2020-15368 to load its own unsigned driver on the system.(Citation: Wylie-22)", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d", "created": "2024-04-09T20:54:26.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:45.573Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749", "created": "2023-10-20T17:05:25.595Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:45.801Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a", "created": "2023-09-29T16:30:08.166Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:46.007Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cca191a1-3c50-4d4f-8f79-4247e58af610", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:46.217Z", "description": "Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c", "created": "2022-09-27T15:34:07.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:46.425Z", "description": "Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host\u2019s GUI.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:46.639Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ccbb44ad-2220-4260-99ce-9142c44fc797", "created": "2023-09-28T21:10:03.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:46.864Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:47.078Z", "description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, changes the function pointer of the 'get main processor diagnostic data' TriStation command to the address of imain.bin so that it is executed prior to the normal handler. (Citation: Jos Wetzels January 2018)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:47.321Z", "description": "Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2", "created": "2023-09-28T20:15:56.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:47.514Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cd6f1ca4-aaec-451d-b855-55cdb0c3dde8", "created": "2024-03-28T14:27:34.578Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Triton-EENews-2017", "description": "Blake Sobczak. (2019, March 7). The inside story of the world\u2019s most dangerous malware. Retrieved March 25, 2024.", "url": "https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/"}, {"source_name": "FireEye TRITON 2018", "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:47.756Z", "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) utilized remote desktop protocol (RDP) jump boxes, poorly configured OT firewalls (Citation: Triton-EENews-2017), along with other traditional malware backdoors, to move into the ICS environment.(Citation: FireEye TRITON 2018)(Citation: Triton-EENews-2017)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:47.954Z", "description": "Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986", "created": "2023-09-29T16:31:36.462Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:48.157Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb", "created": "2021-01-20T21:03:13.436Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "US District Court Indictment GRU Unit 74455 October 2020", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", "url": "https://www.justice.gov/opa/press-release/file/1328521/download"}, {"source_name": "Secureworks IRON VIKING ", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:48:04.707Z", "description": "(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Secureworks IRON VIKING )", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:48.463Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a", "created": "2022-09-26T14:37:45.140Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:48.668Z", "description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9", "created": "2022-09-23T16:36:40.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:48.864Z", "description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs and tasks. Data from these platforms can be used to identify modified controller tasking.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d", "created": "2023-09-29T16:29:16.222Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:49.067Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:49.271Z", "description": "Monitor for unexpected ICS protocol functions from new and existing devices. Monitoring known devices requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cf8a816c-30ee-4147-a48f-d797fb145a04", "created": "2023-09-29T17:43:10.828Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:49.460Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:49.681Z", "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185", "created": "2023-09-28T21:15:44.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:49.882Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cfcbca89-8912-40c0-ac15-47882162b132", "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:50.070Z", "description": "Monitor application logs for new or unexpected devices or sessions on wireless networks.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab", "created": "2023-10-02T20:22:25.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:50.270Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d03de729-9235-4ceb-a1c0-935e2088020b", "created": "2023-09-28T21:29:12.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:50.495Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d08fdedd-12f6-4681-9167-70d070432dee", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:50.705Z", "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d1388bba-9869-4e3e-a6c9-430784ad924d", "created": "2023-09-27T14:59:13.988Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:50.912Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), operators were shut out of their equipment either through the denial of peripheral use or the degradation of equipment. Operators were therefore unable to recover from the incident through their traditional means. Much of the power was restored manually. (Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d16e8909-d055-4174-aeb1-22c0613b2f73", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:51.106Z", "description": "Disable unnecessary legacy network protocols that may be used for AiTM if applicable.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d1971b32-3a15-4544-9f36-80c05121deb6", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:51.340Z", "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d1a97502-b41d-40a8-aff5-13367fefc642", "created": "2023-09-28T21:21:45.003Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:51.534Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896", "created": "2023-09-29T16:28:52.111Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:51.758Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:51.970Z", "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d23fd724-563d-4f49-8bcd-09c653728cd3", "created": "2023-09-28T21:28:00.462Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:52.170Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242", "created": "2023-09-28T19:53:20.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:52.379Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d2a434c7-4428-435e-ae6b-e54012f29606", "created": "2023-09-25T20:43:52.987Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:52.603Z", "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af", "created": "2022-09-27T16:08:15.473Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:52.871Z", "description": "Monitor device application logs that indicate the program has changed, although not all devices produce such logs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Robert Falcone, Bryan Lee May 2016", "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:53.064Z", "description": "[OilRig](https://attack.mitre.org/groups/G0049) communicated with its command and control using HTTP requests. (Citation: Robert Falcone, Bryan Lee May 2016)", "relationship_type": "uses", "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999", "created": "2023-09-29T18:49:54.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:53.274Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72", "created": "2023-09-28T19:38:27.199Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:53.470Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d3717846-eaab-4fde-99f6-a972dec9323b", "created": "2024-03-27T19:43:45.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos-Sandworm-Ukraine-2022", "description": "Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024.", "url": "https://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/"}, {"source_name": "Mandiant-Sandworm-Ukraine-2022", "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.", "url": "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:49:21.362Z", "description": "(Citation: Mandiant-Sandworm-Ukraine-2022)(Citation: Dragos-Sandworm-Ukraine-2022) ", "relationship_type": "attributed-to", "source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d", "target_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:53.798Z", "description": "Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d3d4f469-9847-41ef-a478-5eaf6003d483", "created": "2023-10-02T20:23:00.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:53.992Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:54.193Z", "description": "Monitor asset log which may provide information that an asset has been placed into Firmware Update Mode. Some assets may log firmware updates themselves without logging that the device has been placed into update mode.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d455330d-f190-4854-8087-4c2c37003b45", "created": "2023-09-29T17:39:29.897Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:54.422Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d48894cb-457e-4a81-82b4-2d735aea5128", "created": "2023-09-28T19:50:56.496Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:54.613Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d4968f45-d06b-4843-8f72-6e08beb94cab", "created": "2017-05-31T21:33:27.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"}, {"source_name": "Gigamon Berserk Bear October 2021", "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:49:38.176Z", "description": "(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)", "relationship_type": "uses", "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d4da5e90-7986-4c8a-bfb6-df4c0586ce87", "created": "2024-03-27T20:48:27.536Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Mandiant-Sandworm-Ukraine-2022", "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.", "url": "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:54.925Z", "description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used existing hypervisor access to map an ISO image named `a.iso` to a virtual machine running a SCADA server. The SCADA server\u2019s operating system was configured to autorun CD-ROM images, and as a result, a malicious VBS script on the ISO image was automatically executed.(Citation: Mandiant-Sandworm-Ukraine-2022)", "relationship_type": "uses", "source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d", "target_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a", "created": "2019-03-25T19:13:54.947Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:55.118Z", "description": "[WannaCry](https://attack.mitre.org/software/S0366) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", "relationship_type": "uses", "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d58d8b19-90bc-4a7f-840d-076be296ff20", "created": "2023-09-29T17:09:01.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:55.324Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a", "created": "2023-09-28T19:43:49.584Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:55.515Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d", "created": "2023-09-29T17:38:17.313Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:55.721Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0", "created": "2023-09-29T17:08:23.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:55.928Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d648b3c7-77d2-42f3-a367-620621b714ab", "created": "2023-09-28T21:11:29.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:56.117Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d67ae959-9014-4501-b963-42bee03a5e3b", "created": "2024-03-25T20:09:34.908Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Jamie Tarabay and Katrina Manson December 2023", "description": "Jamie Tarabay and Katrina Manson. (2023, December 22). Iranian-Linked Hacks Expose Failure to Safeguard US Water System. Retrieved March 25, 2024.", "url": "https://www.bloomberg.com/news/articles/2023-12-22/iranian-linked-hacks-expose-failure-to-safeguard-us-water-system"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:56.322Z", "description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) caused multiple businesses to halt operations in their industrial environments, impacting their typical business operations. These victims covered multiple sectors.(Citation: Jamie Tarabay and Katrina Manson December 2023)", "relationship_type": "uses", "source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:56.527Z", "description": "When available utilize hardware and software root-of-trust to verify the authenticity of a system. This may be achieved through cryptographic means, such as digital signatures or hashes, of critical software and firmware throughout the supply chain.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:56.745Z", "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d72e7d01-56be-4fbd-8957-3384533ba83b", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:56.942Z", "description": "[Triton](https://attack.mitre.org/software/S1009) leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes. (Citation: Jos Wetzels January 2018)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de", "created": "2023-09-29T18:48:41.176Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:57.155Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5", "created": "2023-09-28T20:29:50.745Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:57.388Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d7ea83fa-87c7-4d36-96d5-aee554504040", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET Bad Rabbit", "description": "M.L\u00e9veille, M-E.. (2017, October 24). Bad Rabbit: Not\u2011Petya is back with improved ransomware. Retrieved January 28, 2021.", "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:57.606Z", "description": "Several transportation organizations in Ukraine have suffered from being infected by [Bad Rabbit](https://attack.mitre.org/software/S0606), resulting in some computers becoming encrypted, according to media reports. (Citation: ESET Bad Rabbit)", "relationship_type": "uses", "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18", "created": "2023-09-29T16:46:01.992Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:57.843Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:58.054Z", "description": "[Triton](https://attack.mitre.org/software/S1009) has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d854cc38-adf7-485d-96b5-70606f6cb87e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:58.274Z", "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d8911566-f622-4a01-b765-514dbbfd8201", "created": "2022-09-28T20:27:01.345Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:58.493Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can deploy Tcpdump to sniff network traffic and collect PCAP files.(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa", "created": "2023-09-28T21:14:51.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:58.678Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d8f45959-e0fc-4b4f-a074-a3acea926300", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:58.883Z", "description": "Consider the disabling of features such as AutoRun.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d8f95008-33c9-4572-9916-023d8de449b1", "created": "2023-09-29T18:04:16.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:59.116Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ICS-CERT August 2018", "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:59.321Z", "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. (Citation: ICS-CERT August 2018)", "relationship_type": "uses", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d90b1271-a90d-41c7-9df7-bec47880c82e", "created": "2022-09-27T15:33:46.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:59.520Z", "description": "Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host\u2019s GUI.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:59.761Z", "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. (Citation: Booz Allen Hamilton)\n", "relationship_type": "uses", "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d96788b4-55dd-48df-bb9b-83b33ca24813", "created": "2023-09-28T19:55:22.376Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:04:59.970Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d9de58a6-58fd-499c-ba7d-588239297179", "created": "2023-09-29T16:42:31.464Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:00.181Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5", "created": "2023-09-28T19:51:11.687Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:00.416Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a", "created": "2023-09-29T16:42:53.226Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:00.613Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0", "created": "2023-09-29T18:06:57.332Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:00.816Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--da987131-bf37-4730-9914-323879d2b5c3", "created": "2023-09-28T20:34:11.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:01.013Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8", "created": "2023-09-28T19:44:22.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:01.207Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dadfed22-d70c-482b-9026-964396d75484", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:01.406Z", "description": "Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--db46e84f-435e-4022-b484-e6d2e253660c", "created": "2023-09-29T18:06:13.468Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:01.600Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a", "created": "2022-09-30T15:34:29.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:01.820Z", "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dbcc492c-782e-4418-8373-dbc7a76498b0", "created": "2023-09-29T17:45:35.293Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:02.024Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:02.225Z", "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dc35c44a-a90c-48a1-8811-af2618216e42", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:02.424Z", "description": "Use strong multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials. Be aware of multi-factor authentication interception techniques for some implementations.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:02.622Z", "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f", "created": "2023-09-29T18:06:35.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:02.821Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dda29418-9570-405a-b7db-97e951e5aa53", "created": "2022-09-26T19:36:13.409Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:03.016Z", "description": "Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dda89758-9d0b-446d-b594-85acc7f9cb90", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:03.230Z", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dded2d68-35c7-42c4-af10-efe7731673e3", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:03.436Z", "description": "All APIs on remote systems or local processes should require the authentication of users before executing any code or system changes.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--de8b8a69-5f08-421a-96f0-2bed5707508d", "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nzyme Alerts Intro", "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved November 17, 2024.", "url": "https://docs.nzyme.org/wifi/monitoring/network-monitoring/"}, {"source_name": "Wireless Intrusion Detection", "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.", "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:03.637Z", "description": "New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dead5325-7efe-4dcc-bf78-42b9190f74da", "created": "2023-09-29T16:46:40.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:03.868Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--deb83319-bc5a-4b9b-a44a-bd369b899601", "created": "2024-03-25T20:18:12.056Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:04.076Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--def57041-6bb4-453a-bf04-188b9e97a35d", "created": "2023-09-28T21:26:34.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:04.312Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--df321d74-25d6-42da-80e8-3c9a291cb471", "created": "2023-09-28T19:57:41.602Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:04.505Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:04.722Z", "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--df7b521e-4496-432f-a61d-3094d0c7bc23", "created": "2023-09-29T17:58:26.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:04.930Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--df80e2b6-5672-4f26-a19c-a394f3731f24", "created": "2023-09-28T19:48:48.649Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:05.126Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--df88d021-cb8e-482d-9260-445d0a0244ac", "created": "2024-03-27T19:51:10.097Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Mandiant-Sandworm-Ukraine-2022", "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.", "url": "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:05.322Z", "description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged the SCIL-API on the MicroSCADA platform to execute commands through the `scilc.exe` binary.(Citation: Mandiant-Sandworm-Ukraine-2022)", "relationship_type": "uses", "source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--df95c619-33ee-4484-934a-78857717323e", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:05.514Z", "description": "Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da", "created": "2023-09-28T20:11:11.658Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:05.761Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dfb20521-91c2-4f55-b92a-dab959759b78", "created": "2023-09-29T18:03:38.874Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:05.955Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb", "created": "2022-04-15T22:05:32.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:52:24.900Z", "description": "", "relationship_type": "revoked-by", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:06.275Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:06.485Z", "description": "Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of [Valid Accounts](https://attack.mitre.org/techniques/T0859).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:06.707Z", "description": "Prevent the use of unsigned executables, such as installers and scripts.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca", "created": "2022-09-27T15:42:39.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:06.940Z", "description": "Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e0aee02c-b424-4781-be10-793d71594c31", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:07.176Z", "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through a trojanized installer attached to emails. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "relationship_type": "uses", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:07.401Z", "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb", "created": "2023-03-10T20:08:40.601Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Marshall Abrams July 2008", "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:07.595Z", "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary temporarily shut an investigator out of the network, preventing them from viewing the state of the system.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e", "created": "2023-09-28T19:42:54.009Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:07.806Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:08.015Z", "description": "Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\". For added context on adversary procedures and background see [Masquerading Mitigation](https://attack.mitre.org/mitigations/T1036) and applicable sub-techniques.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14", "created": "2023-03-31T17:44:45.164Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos Crashoverride 2018", "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:08.219Z", "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) transferred executable files as .txt and then renamed them to .exe, likely to avoid detection through extension tracking.(Citation: Dragos Crashoverride 2018)", "relationship_type": "uses", "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74", "created": "2023-09-29T17:08:48.251Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:08.436Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e18af08c-3953-4b1d-b46c-45572fdb5187", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:08.633Z", "description": "Monitor operational data for indicators of temporary data loss which may indicate a Denial of Service. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4", "created": "2023-09-28T20:09:07.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:08.845Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e257913e-40ba-4a05-ba97-0c3175c966b5", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}, {"source_name": "Langer Stuxnet", "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:09.057Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions. (Citation: Langer Stuxnet) (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e323dee4-a896-4a82-85f5-d51d311b0437", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Max Heinemeyer February 2020", "description": "Max Heinemeyer 2020, February 21 Post-mortem of a targeted Sodinokibi ransomware attack Retrieved. 2021/04/12 ", "url": "https://www.darktrace.com/en/blog/post-mortem-of-a-targeted-sodinokibi-ransomware-attack/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:09.276Z", "description": "[REvil](https://attack.mitre.org/software/S0496) uses the SMB protocol to encrypt files located on remotely connected file shares. (Citation: Max Heinemeyer February 2020)", "relationship_type": "uses", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00", "created": "2022-09-28T20:25:51.024Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos-Pipedream", "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite\u2019s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en"}, {"source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"}, {"source_name": "Brubaker-Incontroller", "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:09.492Z", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can wipe the memory of Omron PLCs and reset settings through the remote HTTP service.(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e3b04152-0c90-41ff-a333-c5163fa9714f", "created": "2023-09-29T17:41:22.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:09.685Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e41a04fe-a142-4294-a9f2-576214e1f985", "created": "2024-04-09T20:48:04.616Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:09.881Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e434db5d-f201-4411-825f-4a50e1e78c75", "created": "2023-09-29T17:06:20.834Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:10.093Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc", "created": "2023-09-29T18:49:44.351Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:10.309Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e4a11381-8608-4c71-966f-df0cbb834fe0", "created": "2022-09-30T15:35:09.660Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:10.499Z", "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery Mitigation](https://attack.mitre.org/mitigations/T1018).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972", "created": "2023-09-29T16:45:33.777Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:10.725Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a", "created": "2024-04-09T21:00:11.159Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:10.930Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e5afc447-a241-4773-9a8a-3d6fd205d926", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:11.141Z", "description": "Utilize exploit protection to prevent activities which may be exploited through malicious web sites.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:11.410Z", "description": "Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454", "created": "2023-10-02T20:17:51.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:11.594Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e607bb66-e53f-4684-b3f1-36a997e27d01", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:11.807Z", "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n", "relationship_type": "mitigates", "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb", "created": "2023-09-28T20:30:32.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:12.007Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:12.222Z", "description": "All field controllers should restrict the modification of parameter values to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. They should also restrict online edits and enable write protection for parameters. \n", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:12.419Z", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9", "created": "2023-09-28T19:42:16.270Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:12.625Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:12.823Z", "description": "Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e78ff18e-c919-4145-b8b8-540ae7dc94d2", "created": "2024-03-26T15:40:53.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:13.039Z", "description": "Monitor for newly constructed drive letters or mount points to removable media. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", "target_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2", "created": "2023-09-29T16:45:20.769Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:13.276Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e7c3b02a-a932-4561-b812-5cfadd7f9b2f", "created": "2024-11-20T23:25:47.710Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos FROSTYGOOP 2024", "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:13.477Z", "description": "During [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041), the adversary initiated a firmware downgrade on victim devices to a version lacking monitoring.(Citation: Dragos FROSTYGOOP 2024)", "relationship_type": "uses", "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42", "created": "2023-09-29T16:39:41.736Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:13.666Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "M. Rentschler and H. Heine", "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", "url": "https://ieeexplore.ieee.org/document/6505877"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:13.884Z", "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:14.089Z", "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:14.322Z", "description": "When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:14.533Z", "description": "Minimize permissions and access for service accounts to limit the information that may be impacted by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8", "created": "2023-09-28T19:50:30.312Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:14.760Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e915e12c-3d0c-4f60-b119-9414940abb0b", "created": "2023-09-28T20:08:27.145Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:14.982Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42", "created": "2023-09-28T19:45:18.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:15.180Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e98892d6-e036-4140-adbb-2932dba51a19", "created": "2023-09-28T20:08:09.519Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:15.413Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e9f5096e-b9fc-459a-a303-88763b1269cc", "created": "2020-05-14T14:41:42.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "FireEye FIN6 Apr 2019", "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T22:55:03.806Z", "description": "(Citation: FireEye FIN6 Apr 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ea50253a-3220-458b-b810-ad032f2b182f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "DHS CISA February 2019", "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"}, {"source_name": "ICS-CERT December 2018", "description": "ICS-CERT 2018, December 18 Advisory (ICSA-18-107-02) - Schneider Electric Triconex Tricon (Update B) Retrieved. 2019/03/08 ", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02"}, {"source_name": "Schneider Electric January 2018", "description": "Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ", "url": "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s"}, {"source_name": "The Office of Nuclear Reactor Regulation", "description": "The Office of Nuclear Reactor Regulation Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 Triconex Topical Report 7286-545-1 Retrieved. 2018/05/30 ", "url": "https://www.nrc.gov/docs/ML1209/ML120900890.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:15.720Z", "description": "[Triton](https://attack.mitre.org/software/S1009) disables a firmware RAM/ROM consistency check after injects a payload (imain.bin) into the firmware memory region. (Citation: DHS CISA February 2019) (Citation: ICS-CERT December 2018) (Citation: Schneider Electric January 2018) Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration. (Citation: The Office of Nuclear Reactor Regulation)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:15.901Z", "description": "Monitor ICS automation protocols for functions that restart or shutdown a device. Commands to restart or shutdown devices may also be observable in traditional IT management protocols.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ea817c7a-9424-4204-90a5-6f8fb86037be", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:16.094Z", "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4", "created": "2023-09-29T17:38:59.611Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:16.312Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:16.507Z", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960", "created": "2023-09-28T20:28:52.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:16.718Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53", "created": "2023-09-28T20:05:15.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:17.058Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026", "created": "2021-10-08T15:25:32.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:17.271Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:17.472Z", "description": "Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b", "created": "2023-09-28T19:44:09.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:17.683Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f", "created": "2021-10-08T15:42:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos Inc. June 2017", "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:17.881Z", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) establishes an internal proxy prior to the installation of backdoors within the network. (Citation: Dragos Inc. June 2017)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eb5310c6-7500-4b16-8ca7-6678c6232001", "created": "2023-09-29T19:36:38.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:18.076Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:18.320Z", "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0", "created": "2023-09-29T17:09:37.977Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:18.505Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:18.720Z", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643", "created": "2023-09-28T21:25:48.379Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:18.922Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:19.135Z", "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ed095993-bc85-431e-9621-437143f16d44", "created": "2023-09-29T17:44:09.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:19.379Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ed3ce006-cf41-46f6-bd86-054314c130dc", "created": "2023-09-28T21:15:57.120Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:19.565Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ed3ef546-566a-46c7-918e-7bfa10d05991", "created": "2023-09-29T17:06:47.370Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:19.779Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ed66e087-8877-4146-a16a-44cfd144a3d8", "created": "2023-09-29T17:07:00.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:19.992Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ed8b97e2-5966-4844-a636-524541a46e43", "created": "2023-09-29T16:39:18.448Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:20.202Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb", "created": "2023-09-29T16:39:29.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:20.412Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6", "created": "2022-09-27T16:56:30.665Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:20.619Z", "description": "Monitor for newly constructed scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b", "created": "2023-09-29T17:58:54.996Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:20.853Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1", "created": "2023-09-28T21:12:00.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:21.055Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--edf73653-b2d7-422f-b433-b6a428ff12d4", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", "url": "https://securelist.com/bad-rabbit-ransomware/82851/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:21.272Z", "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", "relationship_type": "uses", "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2", "created": "2023-09-29T17:58:04.082Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:21.474Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:21.675Z", "description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Tom Fakterman August 2019", "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:21.902Z", "description": "[REvil](https://attack.mitre.org/software/S0496) utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware. (Citation: Tom Fakterman August 2019)", "relationship_type": "uses", "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:22.101Z", "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. (Citation: Booz Allen Hamilton)\n", "relationship_type": "uses", "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97", "created": "2023-09-28T20:05:33.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:22.308Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ee89466e-0655-4217-844d-fb8ea4f76247", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:22.504Z", "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6", "created": "2023-09-28T20:04:07.868Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:22.759Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Department of Homeland Security October 2009", "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:22.949Z", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"}, {"source_name": "Schweitzer Engineering Laboratories August 2015", "description": "Schweitzer Engineering Laboratories 2015, August Understanding When to Use LDAP or RADIUS for Centralized Authentication Retrieved. 2020/09/25 ", "url": "https://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:23.149Z", "description": "Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. (Citation: Keith Stouffer May 2015) (Citation: Schweitzer Engineering Laboratories August 2015)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8", "created": "2023-09-28T21:11:45.241Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:23.369Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eeeff03f-7436-4f76-8591-42075e6647d4", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:23.586Z", "description": "All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3", "created": "2023-09-28T19:54:48.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:23.790Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Symantec Security Response July 2014", "description": "Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ", "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries."}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:23.983Z", "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) trojanized legitimate ICS equipment providers software packages available for download on their websites.(Citation: Symantec Security Response July 2014)", "relationship_type": "uses", "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--efb80069-e4be-4055-bd34-06d1376b4601", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "McCarthy, J et al. July 2018", "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", "url": "https://doi.org/10.6028/NIST.SP.1800-2"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:24.183Z", "description": "Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0", "created": "2023-09-29T16:39:09.447Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:24.415Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f05a2592-00f9-4f1f-ba55-395af5444b96", "created": "2023-09-29T17:42:29.179Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:24.632Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f08d487a-7837-48f9-9301-fe0f9f144c92", "created": "2023-09-28T20:31:04.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:24.852Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:25.040Z", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:25.281Z", "description": "When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, [Stuxnet](https://attack.mitre.org/software/S0603) prevents an operator from noticing unauthorized commands sent to the peripheral. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2", "created": "2021-04-12T18:59:17.429Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:25.486Z", "description": "Filter application-layer protocol messages for remote services to block any unauthorized activity.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d", "created": "2023-09-29T18:45:34.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:25.709Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb", "created": "2023-09-28T21:23:01.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:25.902Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f130282b-f681-455f-966b-55829842be92", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Langer Stuxnet", "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:26.105Z", "description": "One of [Stuxnet](https://attack.mitre.org/software/S0603)'s rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged. (Citation: Langer Stuxnet)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8", "created": "2023-09-28T21:24:22.815Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:26.315Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f145b7e5-048b-46e7-8439-e2b88917523c", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:26.530Z", "description": "Monitor alarms for information about when an operating mode is changed, although not all devices produce such logs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f15f24d2-e581-46ce-83e4-a924f572aae6", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:26.751Z", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f19c34b2-ef3a-4581-b604-6639f501e32f", "created": "2023-10-02T20:20:32.163Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:26.944Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704", "created": "2023-09-29T17:07:38.219Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:27.174Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:27.378Z", "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f29ecf69-1753-44bb-9b80-1025f49cadda", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:27.580Z", "description": "DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious [Stuxnet](https://attack.mitre.org/software/S0603) block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. The replaced DP_RECV block (later on referred to as the DP_RECV monitor) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:27.782Z", "description": "Monitor for loss of expected operational process alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "McAfee CHIPSEC Blog", "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/"}, {"source_name": "MITRE Copernicus", "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about"}, {"source_name": "Intel HackingTeam UEFI Rootkit", "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"}, {"source_name": "Github CHIPSEC", "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", "url": "https://github.com/chipsec/chipsec"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:27.983Z", "description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f347b4fe-d829-427d-851a-fff3393441db", "created": "2021-04-12T07:57:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Joe Slowik August 2019", "description": "Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ", "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:28.180Z", "description": "[Industroyer](https://attack.mitre.org/software/S0604) contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. (Citation: Joe Slowik August 2019)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b", "created": "2023-09-28T21:23:51.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:28.414Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba", "created": "2023-03-30T14:11:33.618Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:28.601Z", "description": "Monitor for device credential changes observable in automation or management network protocols.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:28.833Z", "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f45c2df8-30e7-45d0-8067-7b2870767574", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:29.025Z", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:29.234Z", "description": "Develop and publish policies that define acceptable information to be stored in repositories.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1", "created": "2023-09-28T19:49:56.464Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:29.445Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:29.647Z", "description": "Monitor for new master devices communicating with outstation assets, which may be visible in asset application logs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f531e763-3550-40ba-a6a1-81e208ca12c6", "created": "2023-09-29T16:41:06.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:29.887Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7", "created": "2023-09-28T21:26:23.361Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:30.071Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f584a257-c22a-434b-aa2d-6220987821ab", "created": "2021-10-13T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Jos Wetzels January 2018", "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:30.281Z", "description": "[Triton](https://attack.mitre.org/software/S1009) can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments. (Citation: Jos Wetzels January 2018)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545", "created": "2023-09-29T18:44:50.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:30.485Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f5c9f641-a498-46b5-9068-39502db53cfd", "created": "2023-09-28T20:10:55.590Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:30.721Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4", "created": "2023-09-29T17:04:55.720Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:30.913Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51", "created": "2023-09-29T17:05:20.132Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:31.104Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos", "description": "Dragos Chrysene Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/chrysene/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:31.308Z", "description": "[OilRig](https://attack.mitre.org/groups/G0049) utilized stolen credentials to gain access to victim machines.(Citation: Dragos)", "relationship_type": "uses", "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659", "created": "2023-09-28T19:55:58.229Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:31.516Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f664bf42-5fb2-41e5-b790-978ddf866da3", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:31.746Z", "description": "Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6", "created": "2023-09-28T20:12:09.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:31.952Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f6ff74c2-d088-4252-a8e0-189574863765", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:32.168Z", "description": "Communication authenticity will ensure that any messages tampered with through AiTM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various AiTM procedures.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:32.381Z", "description": "Use file system access controls to protect system and application folders.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c", "created": "2023-09-29T16:45:42.977Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:32.577Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846", "created": "2023-09-29T18:47:39.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:32.808Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138", "created": "2023-09-28T20:31:31.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:32.996Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df", "created": "2023-09-27T14:58:21.360Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"}, {"source_name": "Ukraine15 - EISAC - 201603", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:33.197Z", "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) opened the breakers at the infected sites, shutting the power off for thousands of businesses and households for around 6 hours. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f7c641d2-3528-4b4a-9612-85827eb0fff8", "created": "2024-11-20T23:29:22.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Dragos FROSTYGOOP 2024", "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:33.423Z", "description": "During [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041), the adversary modified victim control system parameters resulting in the loss of heating services to impacted district heating customers.(Citation: Dragos FROSTYGOOP 2024)", "relationship_type": "uses", "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f7d672f6-993b-4036-961d-f6e22e94446c", "created": "2024-04-09T20:48:30.734Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:33.625Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Eduard Kovacs May 2018", "description": "Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved September 12, 2024.", "url": "https://web.archive.org/web/20220120001230/https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:33.846Z", "description": "[OilRig](https://attack.mitre.org/groups/G0049) has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. (Citation: Eduard Kovacs May 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089", "created": "2023-09-28T20:16:40.519Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:34.045Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f862418a-e7b4-4783-8949-7145f3dee665", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:34.272Z", "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702", "created": "2023-03-22T15:52:30.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "PLCTop20 Mar 2023", "description": "PLC Security, Top 20 Community. (2021, June 15). Secure PLC Coding Practices: Top 20 version 1.0. Retrieved March 22, 2023.", "url": "https://plc-security.com/content/Top_20_Secure_PLC_Coding_Practices_V1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:34.484Z", "description": "Devices and programs should validate the content of any remote parameter changes, including those from HMIs, control servers, or engineering workstations.(Citation: PLCTop20 Mar 2023)", "relationship_type": "mitigates", "source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:34.706Z", "description": "Monitor network traffic for ICS functions related to write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f92764db-a880-4726-9d28-a035170f790c", "created": "2023-09-28T21:22:35.236Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:34.905Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f951d934-d555-45e9-a564-27b84518cae4", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:35.106Z", "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:35.314Z", "description": "Monitor for unexpected ICS protocol command functions to controllers from existing master devices (including from new processes) or from new devices. The latter is like detection for [Rogue Master](https://attack.mitre.org/techniques/T0848) but requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).\n\nMonitoring for unexpected or problematic values below the function level will provide better insights into potentially malicious activity but at the cost of additional false positives depending on the underlying operational process.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b", "created": "2023-09-28T19:48:37.072Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:35.518Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:35.743Z", "description": "Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:35.951Z", "description": "Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:36.158Z", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fa726dae-84da-4500-8516-1522da2c6fa4", "created": "2024-03-26T15:41:14.121Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:36.403Z", "description": "Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0", "created": "2023-09-29T16:28:04.180Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:36.593Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fad25140-73de-40d5-a010-3464188db973", "created": "2023-09-25T20:51:07.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:36.807Z", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and\u00a0User Account Management.", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fadbdca3-3c98-497c-a156-e53b89664359", "created": "2023-09-28T20:16:55.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:37.012Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--faf163b6-4e35-43d6-9c0c-83d91d215854", "created": "2024-09-11T22:57:39.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Claroty Fuxnet 2024", "description": "Team82. (2024, April 12). Unpacking the Blackjack Group's Fuxnet Malware. Retrieved September 11, 2024.", "url": "https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:37.227Z", "description": "[Fuxnet](https://attack.mitre.org/software/S1157) physically destroyed NAND memory chips on impacted devices through repeated bit-flip operations.(Citation: Claroty Fuxnet 2024)", "relationship_type": "uses", "source_ref": "malware--931e2489-8078-4f9f-85b2-a9211950e75b", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:37.428Z", "description": "Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1", "created": "2023-09-29T17:38:28.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:37.622Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:37.853Z", "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:38.056Z", "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Eduard Kovacs May 2018", "description": "Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved September 12, 2024.", "url": "https://web.archive.org/web/20220120001230/https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:38.310Z", "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) leverages watering hole attacks to gain access into electric utilities. (Citation: Eduard Kovacs May 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d", "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:38.510Z", "description": "Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:38.722Z", "description": "Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fcba6a58-72b0-4d54-a887-740624e22f6f", "created": "2024-03-26T15:42:36.840Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:38.920Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:39.147Z", "description": "Restrict browsers to limit the capabilities of malicious ads and Javascript.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55", "created": "2022-09-27T18:41:43.617Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:39.362Z", "description": "Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC\u2019s application program, either directly from the device or from asset management platforms.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fd309395-8fcc-402c-9227-90ac897fd602", "created": "2024-03-26T15:41:39.905Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:39.554Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd", "created": "2023-10-02T20:23:41.227Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:39.770Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fd7247a4-b299-4948-a3b0-9b43f4f41ae0", "created": "2024-03-28T14:29:46.095Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye TRITON 2018", "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:39.957Z", "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) leveraged [Triton](https://attack.mitre.org/software/S1009) to send unauthorized command messages to the Triconex safety controllers.(Citation: FireEye TRITON 2018)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fd856176-396c-4121-9754-35e49bfa5758", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:40.149Z", "description": "Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fdc20415-c9a1-405e-80af-3d297894e8fa", "created": "2023-09-28T19:58:30.849Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:40.401Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fe22637e-7187-4990-b24a-5dc851eec736", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:40.602Z", "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f", "created": "2023-09-28T21:10:39.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:40.807Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926", "created": "2023-09-28T21:26:59.998Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:41.023Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb", "created": "2023-09-28T19:56:26.241Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:41.267Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ff107632-751b-4efb-86bd-af670b48d35d", "created": "2023-09-28T21:21:30.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:41.468Z", "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ff3f0668-98df-44c1-88c2-711f05720eb8", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:41.656Z", "description": "Restrict configurations changes and firmware updating abilities to only authorized individuals.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Joe Slowik April 2019", "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T23:05:41.879Z", "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", "relationship_type": "uses", "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2025-03-19T15:00:40.855Z", "name": "The MITRE Corporation", "description": "", "identity_class": "organization", "type": "identity", "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-06-01T00:00:00.000Z", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0"}, {"definition": {"statement": "Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation."}, "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", "type": "marking-definition", "created": "2017-06-01T00:00:00.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "definition_type": "statement"}], "spec_version": "2.0"}
\ No newline at end of file
diff --git a/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json b/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json
index 8d3d967e67..2fae2e6ba0 100644
--- a/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json
+++ b/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json
@@ -1,18 +1,20 @@
{
"type": "bundle",
- "id": "bundle--19f18c8a-b346-4f2a-8e11-5b76d8d1dcc7",
+ "id": "bundle--875f52c2-45f8-45d9-9aaf-aae14e6351cb",
"spec_version": "2.0",
"objects": [
{
+ "modified": "2025-03-19T15:00:40.855Z",
+ "name": "The MITRE Corporation",
+ "description": "",
+ "identity_class": "organization",
+ "type": "identity",
+ "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "created": "2017-06-01T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "type": "identity",
- "identity_class": "organization",
- "created": "2017-06-01T00:00:00.000Z",
- "modified": "2017-06-01T00:00:00.000Z",
- "name": "The MITRE Corporation"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json b/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json
index 75fda3bf17..ee5d28f955 100644
--- a/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json
+++ b/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json
@@ -1,10 +1,10 @@
{
"type": "bundle",
- "id": "bundle--f89ee427-4cf8-47fa-a34e-1313e08b01d2",
+ "id": "bundle--5ba54c0e-c699-484d-b485-7f1deb8a6cb0",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-08-26T16:33:33.984Z",
+ "modified": "2025-01-22T21:54:11.727Z",
"name": "APT38",
"description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.",
"aliases": [
@@ -17,7 +17,12 @@
"COPERNICIUM"
],
"x_mitre_deprecated": false,
- "x_mitre_version": "3.0",
+ "x_mitre_version": "3.1",
+ "x_mitre_contributors": [
+ "Hiroki Nagahama, NEC Corporation",
+ "Manikantan Srinivasan, NEC Corporation India",
+ "Pooja Natarajan, NEC Corporation India"
+ ],
"type": "intrusion-set",
"id": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340",
"created": "2019-01-29T21:27:24.793Z",
@@ -74,7 +79,7 @@
},
{
"source_name": "FireEye APT38 Oct 2018",
- "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.",
+ "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf"
},
{
diff --git a/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json b/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json
index 5e387a2960..6578f11aad 100644
--- a/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json
+++ b/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json
@@ -1,46 +1,46 @@
{
"type": "bundle",
- "id": "bundle--cc588bbe-dc7c-4947-8de0-627455d30932",
+ "id": "bundle--ff336d8e-6c22-4b7a-81cb-ab1b93e2647f",
"spec_version": "2.0",
"objects": [
{
- "aliases": [
- "ALLANITE",
- "Palmetto Fusion"
- ],
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_contributors": [
- "Dragos Threat Intelligence"
+ "type": "intrusion-set",
+ "id": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae",
+ "created": "2017-05-31T21:31:57.307Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/groups/G1000",
+ "external_id": "G1000"
+ },
+ {
+ "source_name": "Dragos",
+ "description": "Dragos Allanite Retrieved. 2019/10/27 ",
+ "url": "https://dragos.com/resource/allanite/"
+ }
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "intrusion-set",
- "id": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae",
- "created": "2017-05-31T21:31:57.307Z",
- "x_mitre_version": "1.0",
- "external_references": [
- {
- "source_name": "mitre-attack",
- "external_id": "G1000",
- "url": "https://attack.mitre.org/groups/G1000"
- },
- {
- "source_name": "Dragos",
- "url": "https://dragos.com/resource/allanite/",
- "description": "Dragos Allanite Retrieved. 2019/10/27 "
- }
- ],
- "x_mitre_deprecated": false,
- "revoked": false,
- "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)",
- "modified": "2022-05-24T19:26:10.721Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "modified": "2025-04-16T21:26:23.407Z",
"name": "ALLANITE",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)",
+ "aliases": [
+ "ALLANITE",
+ "Palmetto Fusion"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Dragos Threat Intelligence"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json b/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json
index dddf6c0e8e..097f49c05e 100644
--- a/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json
+++ b/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4ad6462a-ef31-40bc-8e7e-661b606b2751",
+ "id": "bundle--5e07bb8c-7bf7-4f81-a67e-5c2ad7dc2d5a",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json b/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json
index 79cd185476..baf93e7314 100644
--- a/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json
+++ b/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json
@@ -1,10 +1,10 @@
{
"type": "bundle",
- "id": "bundle--8eb3e58a-1b15-4774-b81b-50623f857014",
+ "id": "bundle--00e3a49b-1f15-4c24-94ea-c29265fccebf",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-01-08T22:13:27.588Z",
+ "modified": "2024-11-17T14:59:25.749Z",
"name": "FIN6",
"description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)",
"aliases": [
@@ -63,8 +63,8 @@
},
{
"source_name": "FireEye FIN6 April 2016",
- "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.",
- "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
+ "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20190807112824/https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
},
{
"source_name": "FireEye FIN6 Apr 2019",
diff --git a/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json b/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json
index 8e603b571e..46554eec24 100644
--- a/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json
+++ b/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dc4f47ff-97cb-4ab9-b94c-17468995fade",
+ "id": "bundle--775e18ad-26d6-4895-a76e-4fa119492658",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json b/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json
index 6f13270080..ae642c305c 100644
--- a/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json
+++ b/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json
@@ -1,10 +1,10 @@
{
"type": "bundle",
- "id": "bundle--68e4253a-e837-4eb5-bb3d-622a8e87ec15",
+ "id": "bundle--00665140-9e33-4a03-9d21-2e17b3e12d4f",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-09-12T17:37:44.040Z",
+ "modified": "2024-12-04T21:17:08.593Z",
"name": "Sandworm Team",
"description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)",
"aliases": [
@@ -21,7 +21,7 @@
"APT44"
],
"x_mitre_deprecated": false,
- "x_mitre_version": "4.1",
+ "x_mitre_version": "4.2",
"x_mitre_contributors": [
"Dragos Threat Intelligence",
"Hakan KARABACAK"
diff --git a/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json b/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json
index 37b5d9b3ed..a6df04a3d6 100644
--- a/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json
+++ b/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json
@@ -1,10 +1,10 @@
{
"type": "bundle",
- "id": "bundle--45fd0bd1-9666-416c-a1b0-b61e06f8ce30",
+ "id": "bundle--5b966695-b227-4ad7-9951-55af0d6190b2",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-09-04T20:33:04.739Z",
+ "modified": "2025-01-16T18:55:49.463Z",
"name": "OilRig",
"description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)",
"aliases": [
@@ -16,14 +16,18 @@
"Evasive Serpens",
"Hazel Sandstorm",
"EUROPIUM",
- "ITG13"
+ "ITG13",
+ "Earth Simnavaz",
+ "Crambus",
+ "TA452"
],
"x_mitre_deprecated": false,
- "x_mitre_version": "4.1",
+ "x_mitre_version": "5.0",
"x_mitre_contributors": [
"Robert Falcone",
"Bryan Lee",
- "Dragos Threat Intelligence"
+ "Dragos Threat Intelligence",
+ "Jaesang Oh, KC7 Foundation"
],
"type": "intrusion-set",
"id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d",
@@ -56,10 +60,22 @@
"source_name": "OilRig",
"description": "(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)"
},
+ {
+ "source_name": "TA452",
+ "description": "(Citation: Proofpoint Iranian Aligned Attacks JAN 2020)"
+ },
{
"source_name": "COBALT GYPSY",
"description": "(Citation: Secureworks COBALT GYPSY Threat Profile)"
},
+ {
+ "source_name": "Crambus",
+ "description": "(Citation: Symantec Crambus OCT 2023)"
+ },
+ {
+ "source_name": "Earth Simnavaz",
+ "description": "(Citation: Trend Micro Earth Simnavaz October 2024)"
+ },
{
"source_name": "Helix Kitten",
"description": "(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)"
@@ -78,6 +94,11 @@
"description": "ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.",
"url": "http://www.clearskysec.com/oilrig/"
},
+ {
+ "source_name": "Trend Micro Earth Simnavaz October 2024",
+ "description": "Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.",
+ "url": "https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html"
+ },
{
"source_name": "Palo Alto OilRig May 2016",
"description": "Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.",
@@ -113,6 +134,11 @@
"description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
"url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
},
+ {
+ "source_name": "Proofpoint Iranian Aligned Attacks JAN 2020",
+ "description": "Proofpoint. (2020, January 10). Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself. Retrieved January 16, 2025.",
+ "url": "https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect"
+ },
{
"source_name": "FireEye APT34 Dec 2017",
"description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.",
@@ -123,6 +149,11 @@
"description": "Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.",
"url": "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
},
+ {
+ "source_name": "Symantec Crambus OCT 2023",
+ "description": "Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.",
+ "url": "https://www.security.com/threat-intelligence/crambus-middle-east-government"
+ },
{
"source_name": "APT34",
"description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)"
diff --git a/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json b/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json
index 5992a1169e..b83a2b1eb1 100644
--- a/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json
+++ b/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json
@@ -1,14 +1,11 @@
{
"type": "bundle",
- "id": "bundle--14c20c6d-9cc2-4dee-8268-a5d5c912ffd2",
+ "id": "bundle--4a57576b-e457-4394-8206-d3d3b016cda1",
"spec_version": "2.0",
"objects": [
{
- "x_mitre_domains": [
- "ics-attack"
- ],
- "id": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6",
"type": "intrusion-set",
+ "id": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6",
"created": "2018-01-16T16:13:52.465Z",
"revoked": true,
"external_references": [
@@ -18,9 +15,17 @@
"external_id": "G0057"
}
],
- "modified": "2018-10-17T00:17:13.469Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T17:59:29.085Z",
"name": "APT34",
- "x_mitre_version": "1.0"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json b/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json
index a49f31893a..23c85c7ed7 100644
--- a/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json
+++ b/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json
@@ -1,31 +1,19 @@
{
"type": "bundle",
- "id": "bundle--418bfd3c-7a55-4f95-b1ea-a29c569c6a97",
+ "id": "bundle--cc54752c-4924-40a8-b3b6-84b0bebc0bf8",
"spec_version": "2.0",
"objects": [
{
- "aliases": [
- "Dragonfly 2.0",
- "IRON LIBERTY",
- "DYMALLOY",
- "Berserk Bear"
- ],
- "x_mitre_domains": [
- "enterprise-attack",
- "ics-attack"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "intrusion-set",
"id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71",
"created": "2018-10-17T00:14:20.652Z",
- "x_mitre_version": "2.1",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": true,
"external_references": [
{
"source_name": "mitre-attack",
- "external_id": "G0074",
- "url": "https://attack.mitre.org/groups/G0074"
+ "url": "https://attack.mitre.org/groups/G0074",
+ "external_id": "G0074"
},
{
"source_name": "DYMALLOY",
@@ -45,43 +33,55 @@
},
{
"source_name": "Dragos DYMALLOY ",
- "url": "https://www.dragos.com/threat/dymalloy/",
- "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020."
+ "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.",
+ "url": "https://www.dragos.com/threat/dymalloy/"
},
{
"source_name": "Fortune Dragonfly 2.0 Sept 2017",
- "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/",
- "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018."
+ "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.",
+ "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/"
},
{
"source_name": "Secureworks MCMD July 2019",
- "url": "https://www.secureworks.com/research/mcmd-malware-analysis",
- "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020."
+ "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.",
+ "url": "https://www.secureworks.com/research/mcmd-malware-analysis"
},
{
"source_name": "Secureworks IRON LIBERTY",
- "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty",
- "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020."
+ "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020.",
+ "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty"
},
{
"source_name": "Symantec Dragonfly Sept 2017",
- "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group",
- "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017."
+ "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.",
+ "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
},
{
"source_name": "US-CERT TA18-074A",
- "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A",
- "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."
+ "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.",
+ "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A"
}
],
- "x_mitre_deprecated": false,
- "revoked": true,
- "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )",
- "modified": "2022-05-11T14:00:00.188Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T17:59:27.618Z",
"name": "Dragonfly 2.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )",
+ "aliases": [
+ "Dragonfly 2.0",
+ "IRON LIBERTY",
+ "DYMALLOY",
+ "Berserk Bear"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "ics-attack"
+ ],
+ "x_mitre_version": "2.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json b/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json
index 2b8cec5987..e60e380a8e 100644
--- a/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json
+++ b/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6559d7cc-d2bd-4fbb-b3eb-53ee9a9adc7a",
+ "id": "bundle--a18f9638-7842-426e-af36-694115ae9558",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/intrusion-set/intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa.json b/ics-attack/intrusion-set/intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa.json
index 3b2c64e277..86d1e06895 100644
--- a/ics-attack/intrusion-set/intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa.json
+++ b/ics-attack/intrusion-set/intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e05c1ede-62e8-457a-80eb-2516d3cdd8f4",
+ "id": "bundle--99e23aee-a732-496c-ace8-ab1a8df035bd",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json b/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json
index 4bd5f6ac0f..c3aa9105a8 100644
--- a/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json
+++ b/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json
@@ -1,21 +1,9 @@
{
"type": "bundle",
- "id": "bundle--b278494d-3ffe-4b7c-a2e6-bf4361ac281c",
+ "id": "bundle--38a31ec0-1614-441e-a6fe-ee5d3f6e02a4",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-28T20:49:53.223Z",
- "name": "GOLD SOUTHFIELD",
- "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)",
- "aliases": [
- "GOLD SOUTHFIELD",
- "Pinchy Spider"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_version": "2.0",
- "x_mitre_contributors": [
- "Thijn Bukkems, Amazon"
- ],
"type": "intrusion-set",
"id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133",
"created": "2020-09-22T19:41:27.845Z",
@@ -55,12 +43,24 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T20:37:38.397Z",
+ "name": "GOLD SOUTHFIELD",
+ "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)",
+ "aliases": [
+ "GOLD SOUTHFIELD",
+ "Pinchy Spider"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack",
"ics-attack"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Thijn Bukkems, Amazon"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json b/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json
index bb160d7fb5..432c728fc8 100644
--- a/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json
+++ b/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json
@@ -1,27 +1,9 @@
{
"type": "bundle",
- "id": "bundle--4a47cb15-fd47-45c4-a49e-ecd886ae2dd6",
+ "id": "bundle--46373ad5-1395-4185-88de-af580fce21ed",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-04-11T16:06:34.699Z",
- "name": "Lazarus Group",
- "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ",
- "aliases": [
- "Lazarus Group",
- "Labyrinth Chollima",
- "HIDDEN COBRA",
- "Guardians of Peace",
- "ZINC",
- "NICKEL ACADEMY",
- "Diamond Sleet"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_version": "4.0",
- "x_mitre_contributors": [
- "Kyaw Pyiyt Htet, @KyawPyiytHtet",
- "Dragos Threat Intelligence"
- ],
"type": "intrusion-set",
"id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"created": "2017-05-31T21:32:03.807Z",
@@ -105,12 +87,34 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T17:21:11.622Z",
+ "name": "Lazarus Group",
+ "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ",
+ "aliases": [
+ "Lazarus Group",
+ "Labyrinth Chollima",
+ "HIDDEN COBRA",
+ "Guardians of Peace",
+ "ZINC",
+ "NICKEL ACADEMY",
+ "Diamond Sleet"
+ ],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_version": "4.1",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Kyaw Pyiyt Htet, @KyawPyiytHtet",
+ "Dragos Threat Intelligence",
+ "MyungUk Han, ASEC",
+ "Jun Hirata, NEC Corporation",
+ "Manikantan Srinivasan, NEC Corporation India",
+ "Pooja Natarajan, NEC Corporation India"
+ ],
"x_mitre_domains": [
"enterprise-attack",
"ics-attack"
- ],
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json b/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json
index aa9ebbffe2..8e0e44cfa7 100644
--- a/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json
+++ b/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json
@@ -1,12 +1,12 @@
{
"type": "bundle",
- "id": "bundle--afe6c16f-6418-4feb-9ebe-66138693073d",
+ "id": "bundle--6ec6ed19-9a11-4e39-bd65-7ec3fb4481db",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-04-03T20:21:34.872Z",
+ "modified": "2025-03-12T20:33:21.597Z",
"name": "Wizard Spider",
- "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)",
+ "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)",
"aliases": [
"Wizard Spider",
"UNC1878",
diff --git a/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json b/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json
index bdb48a40dc..4e5fbf4ece 100644
--- a/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json
+++ b/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a8dfa930-85dd-468f-bf33-f736524a00a4",
+ "id": "bundle--3fb04eda-6375-4f33-80fa-7531c4926294",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json b/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json
index 08df98de29..728deb3df3 100644
--- a/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json
+++ b/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fbed2910-7c86-45db-a649-98a4bd4276f8",
+ "id": "bundle--de5dc3a1-8869-464c-953d-0ec71a68aaea",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json b/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json
index db44d72399..c2971e504b 100644
--- a/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json
+++ b/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json
@@ -1,25 +1,9 @@
{
"type": "bundle",
- "id": "bundle--55e73368-a494-40c2-aa60-9016ec61c6d9",
+ "id": "bundle--5c2a963a-2b23-44f3-97f3-157966f7b284",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-08T22:04:48.834Z",
- "name": "EKANS",
- "description": "[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack",
- "ics-attack"
- ],
- "x_mitre_version": "2.0",
- "x_mitre_aliases": [
- "EKANS",
- "SNAKEHOSE"
- ],
"type": "malware",
"id": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5",
"created": "2021-02-12T20:07:42.883Z",
@@ -58,11 +42,27 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T20:37:51.908Z",
+ "name": "EKANS",
+ "description": "[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)",
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "ics-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "EKANS",
+ "SNAKEHOSE"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json b/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json
index 5dde2f969a..ff76dc3d52 100644
--- a/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json
+++ b/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json
@@ -1,25 +1,9 @@
{
"type": "bundle",
- "id": "bundle--11c19ebe-c001-4f40-974d-420d4b5eed22",
+ "id": "bundle--ecd8be61-10ce-4e49-97c3-6ef4592db74e",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-12T17:18:25.971Z",
- "name": "Backdoor.Oldrea",
- "description": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack",
- "ics-attack"
- ],
- "x_mitre_version": "2.0",
- "x_mitre_aliases": [
- "Backdoor.Oldrea",
- "Havex"
- ],
"type": "malware",
"id": "malware--083bb47b-02c8-4423-81a2-f9ef58572974",
"created": "2017-05-31T21:32:59.661Z",
@@ -50,11 +34,27 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T20:37:53.808Z",
+ "name": "Backdoor.Oldrea",
+ "description": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)",
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "ics-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "Backdoor.Oldrea",
+ "Havex"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json b/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json
index c6a121ff4a..1eee7a8a1b 100644
--- a/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json
+++ b/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json
@@ -1,10 +1,10 @@
{
"type": "bundle",
- "id": "bundle--4ce34836-e514-4bc9-8592-dafb18f76c25",
+ "id": "bundle--b744127b-9881-4aad-8b90-6ad848e557e4",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-04-10T23:46:32.577Z",
+ "modified": "2025-01-02T19:40:26.678Z",
"name": "Stuxnet",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ",
"x_mitre_platforms": [
@@ -43,12 +43,12 @@
{
"source_name": "ESET Stuxnet Under the Microscope",
"description": "Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.",
- "url": "https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf"
+ "url": "https://web-assets.esetstatic.com/wls/2012/11/Stuxnet_Under_the_Microscope.pdf"
},
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
},
{
"source_name": "Langer Stuxnet",
diff --git a/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json b/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json
index 763e130767..f8604d9522 100644
--- a/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json
+++ b/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json
@@ -1,38 +1,18 @@
{
"type": "bundle",
- "id": "bundle--37d67f6f-2c3d-4357-99dd-c51a088c7b77",
+ "id": "bundle--4bba169d-4a42-4e90-88ee-a0d1cb66b95b",
"spec_version": "2.0",
"objects": [
{
- "labels": [
- "malware"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_aliases": [
- "Industroyer",
- "CRASHOVERRIDE"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "name": "Industroyer",
- "description": "[Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001) is a sophisticated piece of malware designed to cause an [Impact](https://collaborate.mitre.org/attackics/index.php/Impact) to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.(Citation: ESET Win32/Industroyer) Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride)(Citation: CISA Alert (TA17-163A))(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2019)",
- "id": "malware--1d8dccb3-e779-4702-aeb1-6627a22cc585",
"type": "malware",
- "x_mitre_version": "1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "malware--1d8dccb3-e779-4702-aeb1-6627a22cc585",
"created": "2017-05-31T21:33:21.973Z",
- "modified": "2021-10-21T14:00:00.188Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
- "external_id": "S1004",
"source_name": "mitre-ics-attack",
- "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0001"
+ "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0001",
+ "external_id": "S1004"
},
{
"source_name": "ESET Win32/Industroyer",
@@ -60,9 +40,29 @@
"url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T18:00:54.754Z",
+ "name": "Industroyer",
+ "description": "[Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001) is a sophisticated piece of malware designed to cause an [Impact](https://collaborate.mitre.org/attackics/index.php/Impact) to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.(Citation: ESET Win32/Industroyer) Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride)(Citation: CISA Alert (TA17-163A))(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2019)",
+ "labels": [
+ "malware"
+ ],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": true
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "Industroyer",
+ "CRASHOVERRIDE"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json b/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json
index 3f2c8bc506..7355ba8934 100644
--- a/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json
+++ b/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json
@@ -1,58 +1,58 @@
{
"type": "bundle",
- "id": "bundle--9e1f09f9-0ab6-4d16-b6e1-2949d6823e47",
+ "id": "bundle--18cf9944-230b-4b5d-925f-9df8d76ac281",
"spec_version": "2.0",
"objects": [
{
- "labels": [
- "malware"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_aliases": [
- "Bad Rabbit",
- "Diskcoder.D"
+ "type": "malware",
+ "id": "malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec",
+ "created": "2017-05-31T21:32:59.661Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-ics-attack",
+ "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0005",
+ "external_id": "S1001"
+ },
+ {
+ "source_name": "ESET Bad Rabbit Oct 2017",
+ "description": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
+ "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"
+ },
+ {
+ "source_name": "Kaspersky Bad Rabbit Oct 2017",
+ "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov. (2017, October 27). Bad Rabbit Ransomware. Retrieved October 27, 2019.",
+ "url": "https://securelist.com/bad-rabbit-ransomware/82851/"
+ },
+ {
+ "source_name": "Dragos IT Ransomware for ICS Environments Apr 2019",
+ "description": "Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.",
+ "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
+ }
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:54.935Z",
"name": "Bad Rabbit",
"description": "[Bad Rabbit](https://collaborate.mitre.org/attackics/index.php/Software/S0005) is a self-propagating (\u201cwormable\u201d) ransomware that affected the transportation sector in Ukraine. (Citation: ESET Bad Rabbit Oct 2017)",
- "type": "malware",
- "x_mitre_version": "1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec",
- "created": "2017-05-31T21:32:59.661Z",
- "modified": "2021-10-21T14:00:00.188Z",
- "external_references": [
- {
- "external_id": "S1001",
- "source_name": "mitre-ics-attack",
- "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0005"
- },
- {
- "description": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
- "source_name": "ESET Bad Rabbit Oct 2017",
- "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"
- },
- {
- "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov. (2017, October 27). Bad Rabbit Ransomware. Retrieved October 27, 2019.",
- "source_name": "Kaspersky Bad Rabbit Oct 2017",
- "url": "https://securelist.com/bad-rabbit-ransomware/82851/"
- },
- {
- "description": "Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.",
- "source_name": "Dragos IT Ransomware for ICS Environments Apr 2019",
- "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
- }
+ "labels": [
+ "malware"
],
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": true
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "Bad Rabbit",
+ "Diskcoder.D"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json b/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json
index 365d4fa70c..835e9f7c81 100644
--- a/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json
+++ b/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json
@@ -1,12 +1,12 @@
{
"type": "bundle",
- "id": "bundle--aeb2672c-5838-4d02-bfbf-07b562546bfe",
+ "id": "bundle--db7a7e1d-50c5-42de-9812-7da7bd8944ff",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-12T17:29:57.200Z",
+ "modified": "2025-01-02T19:45:31.402Z",
"name": "Bad Rabbit",
- "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) ",
+ "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos Apr 2019)",
"x_mitre_platforms": [
"Windows"
],
@@ -15,7 +15,7 @@
"enterprise-attack",
"ics-attack"
],
- "x_mitre_version": "1.0",
+ "x_mitre_version": "1.1",
"x_mitre_aliases": [
"Bad Rabbit",
"Win32/Diskcoder.D"
@@ -31,6 +31,11 @@
"url": "https://attack.mitre.org/software/S0606",
"external_id": "S0606"
},
+ {
+ "source_name": "Dragos Apr 2019",
+ "description": "Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.",
+ "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
+ },
{
"source_name": "ESET Bad Rabbit",
"description": "M.L\u00e9veille, M-E.. (2017, October 24). Bad Rabbit: Not\u2011Petya is back with improved ransomware. Retrieved January 28, 2021.",
@@ -40,11 +45,6 @@
"source_name": "Secure List Bad Rabbit",
"description": "Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.",
"url": "https://securelist.com/bad-rabbit-ransomware/82851/"
- },
- {
- "source_name": "Dragos IT ICS Ransomware",
- "description": "Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021.",
- "url": "https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
}
],
"object_marking_refs": [
@@ -53,7 +53,7 @@
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
]
diff --git a/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json b/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json
index 55849e2ad0..959d81ed09 100644
--- a/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json
+++ b/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json
@@ -1,37 +1,18 @@
{
"type": "bundle",
- "id": "bundle--d8a684e7-81d1-45d8-b489-3b9496614533",
+ "id": "bundle--32c6d0fc-342f-4c79-af3e-d7f055e16b1c",
"spec_version": "2.0",
"objects": [
{
- "labels": [
- "malware"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_aliases": [
- "Stuxnet"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "name": "Stuxnet",
- "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.(Citation: Wired W32.Stuxnet Dossier Feb 2011)(Citation: Symantec W32.Stuxnet Writeup)(Citation: CISA ICS Advisory (ICSA-10-238-01B))(Citation: SCADAhacker Stuxnet Mitigation Jan 2014)",
- "id": "malware--496bff4d-0700-4b28-b06f-f30a63002be7",
- "x_mitre_version": "1.0",
"type": "malware",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "malware--496bff4d-0700-4b28-b06f-f30a63002be7",
"created": "2019-03-26T15:02:14.907Z",
- "modified": "2021-10-21T14:00:00.188Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-ics-attack",
- "external_id": "S1008",
- "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0010"
+ "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0010",
+ "external_id": "S1008"
},
{
"source_name": "Wired W32.Stuxnet Dossier Feb 2011",
@@ -59,9 +40,28 @@
"url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T18:00:55.125Z",
+ "name": "Stuxnet",
+ "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.(Citation: Wired W32.Stuxnet Dossier Feb 2011)(Citation: Symantec W32.Stuxnet Writeup)(Citation: CISA ICS Advisory (ICSA-10-238-01B))(Citation: SCADAhacker Stuxnet Mitigation Jan 2014)",
+ "labels": [
+ "malware"
+ ],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": true
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "Stuxnet"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json b/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json
index 0f70e350df..3f64198585 100644
--- a/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json
+++ b/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json
@@ -1,54 +1,54 @@
{
"type": "bundle",
- "id": "bundle--ef51fce9-d997-486a-b6dd-1f83c8d0a716",
+ "id": "bundle--d2dce9f0-bfd5-4638-8e99-37e3d1ae1a20",
"spec_version": "2.0",
"objects": [
{
- "labels": [
- "malware"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_aliases": [
- "Conficker",
- "Downadup",
- "Kido"
+ "type": "malware",
+ "id": "malware--49c04994-1035-4b58-89b7-cf8956e3b423",
+ "created": "2017-05-31T21:32:59.661Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-ics-attack",
+ "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0012",
+ "external_id": "S1003"
+ },
+ {
+ "source_name": "Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary",
+ "description": "Catalin Cimpanu. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved October 14, 2019.",
+ "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"
+ },
+ {
+ "source_name": "Symantec Conficker Jun 2015",
+ "description": "Symantec. (2015, June 30). Simple steps to protect yourself from the Conficker Worm. Retrieved December 5, 2019.",
+ "url": "https://support.symantec.com/us/en/article.tech93179.html"
+ }
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:55.301Z",
"name": "Conficker",
"description": "[Conficker](https://collaborate.mitre.org/attackics/index.php/Software/S0012) is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant. (Citation: Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary)",
- "type": "malware",
- "x_mitre_version": "1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "malware--49c04994-1035-4b58-89b7-cf8956e3b423",
- "created": "2017-05-31T21:32:59.661Z",
- "modified": "2021-10-21T14:00:00.188Z",
- "external_references": [
- {
- "external_id": "S1003",
- "source_name": "mitre-ics-attack",
- "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0012"
- },
- {
- "description": "Catalin Cimpanu. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved October 14, 2019.",
- "source_name": "Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary",
- "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"
- },
- {
- "description": "Symantec. (2015, June 30). Simple steps to protect yourself from the Conficker Worm. Retrieved December 5, 2019.",
- "source_name": "Symantec Conficker Jun 2015",
- "url": "https://support.symantec.com/us/en/article.tech93179.html"
- }
+ "labels": [
+ "malware"
],
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": true
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "Conficker",
+ "Downadup",
+ "Kido"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json b/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json
index 00590d2f0c..c02057f5fb 100644
--- a/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json
+++ b/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json
@@ -1,20 +1,9 @@
{
"type": "bundle",
- "id": "bundle--20bdb110-0cf9-459a-ac52-833fcb160237",
+ "id": "bundle--1ba90a08-4dc6-465d-bb58-cc375eef0867",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-12T17:59:55.276Z",
- "name": "PLC-Blaster",
- "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016) (Citation: Spenneberg, Ralf 2016) ",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_aliases": [
- "PLC-Blaster"
- ],
"type": "malware",
"id": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe",
"created": "2019-03-26T15:02:14.907Z",
@@ -40,11 +29,22 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T21:26:24.423Z",
+ "name": "PLC-Blaster",
+ "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016) (Citation: Spenneberg, Ralf 2016) ",
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "PLC-Blaster"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json b/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json
index 7e8fdeb201..9b993a61e9 100644
--- a/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json
+++ b/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2795b8f8-6cae-478e-ae31-95e3808bda00",
+ "id": "bundle--6963465e-a76c-474b-8658-a1f61753601f",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json b/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json
index 52ba100bc1..d1f6388b7d 100644
--- a/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json
+++ b/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json
@@ -1,29 +1,9 @@
{
"type": "bundle",
- "id": "bundle--16f763c8-bc58-4a60-bc77-9fd02714fdc5",
+ "id": "bundle--a78e326b-a5fc-4044-a7b2-ac2edb821c6e",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-08T22:11:21.842Z",
- "name": "NotPetya",
- "description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack",
- "ics-attack"
- ],
- "x_mitre_version": "2.0",
- "x_mitre_aliases": [
- "NotPetya",
- "ExPetr",
- "Diskcoder.C",
- "GoldenEye",
- "Petrwrap",
- "Nyetya"
- ],
"type": "malware",
"id": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb",
"created": "2019-03-26T15:02:14.907Z",
@@ -79,11 +59,31 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T20:38:09.202Z",
+ "name": "NotPetya",
+ "description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)",
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "ics-attack"
+ ],
+ "x_mitre_version": "2.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "NotPetya",
+ "ExPetr",
+ "Diskcoder.C",
+ "GoldenEye",
+ "Petrwrap",
+ "Nyetya"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json b/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json
index 5f29ffdf8b..3ad13bfe7b 100644
--- a/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json
+++ b/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json
@@ -1,26 +1,9 @@
{
"type": "bundle",
- "id": "bundle--d1749c25-2c1a-4103-b1ed-43eba1aa8654",
+ "id": "bundle--f82440c4-6929-48a0-890a-b07c937dd0f3",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-08T22:15:47.458Z",
- "name": "Conficker",
- "description": "[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack",
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_aliases": [
- "Conficker",
- "Kido",
- "Downadup"
- ],
"type": "malware",
"id": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55",
"created": "2021-02-23T20:50:32.845Z",
@@ -54,11 +37,28 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T20:38:10.239Z",
+ "name": "Conficker",
+ "description": "[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)",
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "Conficker",
+ "Kido",
+ "Downadup"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json b/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json
index eab9593491..1dfc237998 100644
--- a/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json
+++ b/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cc07cd47-80ec-4482-b423-77fc6448520e",
+ "id": "bundle--d2bbe299-18df-47b1-b800-3958e1ab0991",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json b/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json
index e46744a943..05b0aa08c4 100644
--- a/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json
+++ b/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json
@@ -1,25 +1,9 @@
{
"type": "bundle",
- "id": "bundle--ca08dfd0-689d-420f-b429-78a84e31785b",
+ "id": "bundle--908ac67a-94a5-431b-a058-197cd17aa668",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-08-15T22:01:22.169Z",
- "name": "VPNFilter",
- "description": "[VPNFilter](https://attack.mitre.org/software/S1010) is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. [VPNFilter](https://attack.mitre.org/software/S1010) modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019) [VPNFilter](https://attack.mitre.org/software/S1010) was assessed to be replaced by [Sandworm Team](https://attack.mitre.org/groups/G0034) with [Cyclops Blink](https://attack.mitre.org/software/S0687) starting in 2019.(Citation: NCSC CISA Cyclops Blink Advisory February 2022)",
- "x_mitre_platforms": [
- "Network",
- "Linux"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack",
- "enterprise-attack"
- ],
- "x_mitre_version": "2.0",
- "x_mitre_aliases": [
- "VPNFilter"
- ],
"type": "malware",
"id": "malware--6108f800-10b8-4090-944e-be579f01263d",
"created": "2019-03-26T15:02:14.907Z",
@@ -50,11 +34,27 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-15T19:46:34.471Z",
+ "name": "VPNFilter",
+ "description": "[VPNFilter](https://attack.mitre.org/software/S1010) is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. [VPNFilter](https://attack.mitre.org/software/S1010) modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019) [VPNFilter](https://attack.mitre.org/software/S1010) was assessed to be replaced by [Sandworm Team](https://attack.mitre.org/groups/G0034) with [Cyclops Blink](https://attack.mitre.org/software/S0687) starting in 2019.(Citation: NCSC CISA Cyclops Blink Advisory February 2022)",
"labels": [
"malware"
],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Network Devices",
+ "Linux"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "2.1",
"x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_aliases": [
+ "VPNFilter"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json b/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json
index d7ba89fdd5..a754c4b5ca 100644
--- a/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json
+++ b/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json
@@ -1,24 +1,9 @@
{
"type": "bundle",
- "id": "bundle--18dd0b6c-00f2-4739-8476-16480e86bf2e",
+ "id": "bundle--d406ee94-374c-46b1-a7e5-c85b0bc64784",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-08T22:17:50.971Z",
- "name": "Duqu",
- "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack",
- "ics-attack"
- ],
- "x_mitre_version": "1.2",
- "x_mitre_aliases": [
- "Duqu"
- ],
"type": "malware",
"id": "malware--68dca94f-c11d-421e-9287-7c501108e18c",
"created": "2017-05-31T21:32:31.188Z",
@@ -39,11 +24,26 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T20:38:14.352Z",
+ "name": "Duqu",
+ "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)",
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "Duqu"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json b/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json
index 858e10df7c..e22ea40a8e 100644
--- a/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json
+++ b/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json
@@ -1,25 +1,9 @@
{
"type": "bundle",
- "id": "bundle--e9b7cbb3-6733-43c5-8aeb-c88c85550df7",
+ "id": "bundle--7f49e1cf-0891-494a-a306-596415175c9e",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-04-06T22:00:22.774Z",
- "name": "Industroyer2",
- "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)",
- "x_mitre_platforms": [
- "Field Controller/RTU/PLC/IED",
- "Engineering Workstation"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack",
- "enterprise-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_aliases": [
- "Industroyer2"
- ],
"type": "malware",
"id": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
"created": "2023-03-30T19:20:45.556Z",
@@ -40,11 +24,27 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T20:38:14.728Z",
+ "name": "Industroyer2",
+ "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)",
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Field Controller/RTU/PLC/IED",
+ "Engineering Workstation"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "Industroyer2"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json b/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json
index 8182968cb8..65f80706c9 100644
--- a/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json
+++ b/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json
@@ -1,37 +1,18 @@
{
"type": "bundle",
- "id": "bundle--62334e2e-4c1c-43c1-b7dd-df9f856ab620",
+ "id": "bundle--47cee00c-4a0e-40b9-8d9a-8016c3daa6da",
"spec_version": "2.0",
"objects": [
{
- "labels": [
- "malware"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_aliases": [
- "Killdisk"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "name": "Killdisk",
- "description": "In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable. (Citation: ESET BlackEnergy Jan 2016)",
- "id": "malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830",
"type": "malware",
- "x_mitre_version": "1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "id": "malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830",
"created": "2017-05-31T21:33:21.973Z",
- "modified": "2021-10-21T14:00:00.188Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
- "external_id": "S1005",
"source_name": "mitre-ics-attack",
- "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0016"
+ "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0016",
+ "external_id": "S1005"
},
{
"source_name": "ESET BlackEnergy Jan 2016",
@@ -44,9 +25,28 @@
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T18:00:55.503Z",
+ "name": "Killdisk",
+ "description": "In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable. (Citation: ESET BlackEnergy Jan 2016)",
+ "labels": [
+ "malware"
+ ],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": true
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "Killdisk"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json b/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json
index 04917d54d6..fb57ba24c3 100644
--- a/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json
+++ b/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json
@@ -1,10 +1,10 @@
{
"type": "bundle",
- "id": "bundle--9784640f-bbe0-4474-989f-06d24557e496",
+ "id": "bundle--0d7dd333-338d-4e07-adbc-d6d4f59f07e9",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-08T22:20:20.868Z",
+ "modified": "2024-12-09T02:29:13.859Z",
"name": "WannaCry",
"description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)",
"x_mitre_platforms": [
@@ -70,8 +70,8 @@
},
{
"source_name": "LogRhythm WannaCry",
- "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.",
- "url": "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/"
+ "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved December 8, 2024.",
+ "url": "https://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/"
},
{
"source_name": "US-CERT WannaCry 2017",
@@ -85,7 +85,7 @@
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "3.1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
]
diff --git a/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json b/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json
index b62e159570..b2babbc5cc 100644
--- a/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json
+++ b/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--41310896-b58d-4e27-8be6-db90cc8a2c3c",
+ "id": "bundle--a9ee4f60-1f1d-4a58-b7ee-61c3e2d16ab2",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json b/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json
index e410554a8b..16c947784a 100644
--- a/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json
+++ b/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json
@@ -1,47 +1,47 @@
{
"type": "bundle",
- "id": "bundle--0a7d3a0a-ebbd-426b-b4d3-d04d25dbae9a",
+ "id": "bundle--ab70bdd2-f0cb-4557-abcb-b664d2e4b4c7",
"spec_version": "2.0",
"objects": [
{
- "labels": [
- "malware"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_aliases": [
- "BlackEnergy 3"
+ "type": "malware",
+ "id": "malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b",
+ "created": "2017-05-31T21:32:59.661Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-ics-attack",
+ "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0004",
+ "external_id": "S1002"
+ },
+ {
+ "source_name": "Booz Allen Hamilton",
+ "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.",
+ "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
+ }
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-18T18:00:55.679Z",
"name": "BlackEnergy 3",
"description": "[BlackEnergy 3](https://collaborate.mitre.org/attackics/index.php/Software/S0004) is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid. (Citation: Booz Allen Hamilton)",
- "type": "malware",
- "x_mitre_version": "1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b",
- "created": "2017-05-31T21:32:59.661Z",
- "modified": "2021-04-29T14:49:39.188Z",
- "external_references": [
- {
- "external_id": "S1002",
- "source_name": "mitre-ics-attack",
- "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0004"
- },
- {
- "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.",
- "source_name": "Booz Allen Hamilton",
- "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
- }
+ "labels": [
+ "malware"
],
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": true
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "BlackEnergy 3"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--931e2489-8078-4f9f-85b2-a9211950e75b.json b/ics-attack/malware/malware--931e2489-8078-4f9f-85b2-a9211950e75b.json
index 4a725e9dbb..3dec5c42e6 100644
--- a/ics-attack/malware/malware--931e2489-8078-4f9f-85b2-a9211950e75b.json
+++ b/ics-attack/malware/malware--931e2489-8078-4f9f-85b2-a9211950e75b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a9df73b4-e2cc-4087-8e33-88dcca269ce6",
+ "id": "bundle--95db1f49-f478-412c-b052-ef1edc8b8fc7",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json b/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json
index 5b10ef737d..4b0014d30f 100644
--- a/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json
+++ b/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json
@@ -1,35 +1,18 @@
{
"type": "bundle",
- "id": "bundle--5fa356ef-70a3-4d2c-9822-d26b66141f67",
+ "id": "bundle--27c99d82-8f6a-41a4-8d0c-c7740f79f7e3",
"spec_version": "2.0",
"objects": [
{
- "labels": [
- "malware"
- ],
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_aliases": [
- "EKANS",
- "SNAKEHOSE"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "x_mitre_version": "1.0",
"type": "malware",
- "modified": "2021-10-21T14:00:00.188Z",
+ "id": "malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f",
"created": "2021-04-13T12:28:31.188Z",
- "description": "[EKANS](https://collaborate.mitre.org/attackics/index.php/Software/S0017) is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.(Citation: Forbes Snake Ransomware June 2020)(Citation: MalwareByes Honda and Enel Ransomware June 2020)(Citation: Dragos EKANS February 2020) EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).(Citation: Dragos EKANS February 2020) If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the \u201cSnake\u201d malware associated with the Turla group. The ICS processes documented within the malware\u2019s kill-list is similar to those defined by the MEGACORTEX software.(Citation: FireEye OT Ransomware July 2020)(Citation: Pylos January 2020)(Citation: Dragos EKANS June 2020)The ransomware was initially reported as \u201cSnake\u201d, however, to avoid confusion with the unrelated Turla APT group security researchers spelled it backwards as EKANS.",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "mitre-ics-attack",
- "external_id": "S0017",
- "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0017"
+ "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0017",
+ "external_id": "S0017"
},
{
"source_name": "Forbes Snake Ransomware June 2020",
@@ -62,12 +45,29 @@
"url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/#_edn7"
}
],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "id": "malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T18:00:55.859Z",
"name": "EKANS",
- "x_mitre_attack_spec_version": "2.1.0",
+ "description": "[EKANS](https://collaborate.mitre.org/attackics/index.php/Software/S0017) is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.(Citation: Forbes Snake Ransomware June 2020)(Citation: MalwareByes Honda and Enel Ransomware June 2020)(Citation: Dragos EKANS February 2020) EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).(Citation: Dragos EKANS February 2020) If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the \u201cSnake\u201d malware associated with the Turla group. The ICS processes documented within the malware\u2019s kill-list is similar to those defined by the MEGACORTEX software.(Citation: FireEye OT Ransomware July 2020)(Citation: Pylos January 2020)(Citation: Dragos EKANS June 2020)The ransomware was initially reported as \u201cSnake\u201d, however, to avoid confusion with the unrelated Turla APT group security researchers spelled it backwards as EKANS.",
+ "labels": [
+ "malware"
+ ],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_deprecated": true
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": true,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "EKANS",
+ "SNAKEHOSE"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json b/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json
index c1224460db..a53c6a34c1 100644
--- a/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json
+++ b/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json
@@ -1,28 +1,9 @@
{
"type": "bundle",
- "id": "bundle--0f1f5641-bd98-40ce-ba69-86c7a81e81c7",
+ "id": "bundle--a0e8f2dd-f83f-47b5-ac69-813fb8e7bd81",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-08-09T18:11:35.634Z",
- "name": "Ryuk",
- "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack",
- "ics-attack"
- ],
- "x_mitre_version": "1.4",
- "x_mitre_contributors": [
- "The DFIR Report, @TheDFIRReport",
- "Matt Brenton, Zurich Insurance Group"
- ],
- "x_mitre_aliases": [
- "Ryuk"
- ],
"type": "malware",
"id": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
"created": "2020-05-13T20:14:53.171Z",
@@ -62,11 +43,30 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T20:38:27.373Z",
+ "name": "Ryuk",
+ "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)",
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.4",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "The DFIR Report, @TheDFIRReport",
+ "Matt Brenton, Zurich Insurance Group"
+ ],
+ "x_mitre_aliases": [
+ "Ryuk"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json b/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json
index 39931f84a3..258688fe3e 100644
--- a/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json
+++ b/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json
@@ -1,20 +1,9 @@
{
"type": "bundle",
- "id": "bundle--8b2280ed-0cd0-4415-a321-ea1b3c16a467",
+ "id": "bundle--9402ce79-1a15-47f5-b598-263e01ccbaa9",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-12T17:15:44.068Z",
- "name": "ACAD/Medre.A",
- "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) is a worm that steals operational information. The worm collects AutoCAD files with drawings. [ACAD/Medre.A](https://attack.mitre.org/software/S1000) has the capability to be used for industrial espionage.(Citation: ESET)",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_aliases": [
- "ACAD/Medre.A"
- ],
"type": "malware",
"id": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57",
"created": "2017-05-31T21:32:59.661Z",
@@ -35,11 +24,22 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T21:26:25.077Z",
+ "name": "ACAD/Medre.A",
+ "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) is a worm that steals operational information. The worm collects AutoCAD files with drawings. [ACAD/Medre.A](https://attack.mitre.org/software/S1000) has the capability to be used for industrial espionage.(Citation: ESET)",
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "ACAD/Medre.A"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json b/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json
index 29226b6615..8f84eb4f38 100644
--- a/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json
+++ b/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json
@@ -1,10 +1,10 @@
{
"type": "bundle",
- "id": "bundle--98460a64-09f4-4bf1-8bde-6bb292627de4",
+ "id": "bundle--e8a29fea-3d73-4f06-b89b-9fce7d4696f8",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-04-11T00:15:32.724Z",
+ "modified": "2024-11-17T23:08:38.543Z",
"name": "REvil",
"description": "[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)",
"x_mitre_platforms": [
@@ -100,8 +100,8 @@
},
{
"source_name": "Tetra Defense Sodinokibi March 2020",
- "description": "Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.",
- "url": "https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis"
+ "description": "Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20210414101816/https://tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis/"
}
],
"object_marking_refs": [
diff --git a/ics-attack/malware/malware--b34df04a-9d30-4d84-a03f-0d536ee19a05.json b/ics-attack/malware/malware--b34df04a-9d30-4d84-a03f-0d536ee19a05.json
new file mode 100644
index 0000000000..a600ee6178
--- /dev/null
+++ b/ics-attack/malware/malware--b34df04a-9d30-4d84-a03f-0d536ee19a05.json
@@ -0,0 +1,59 @@
+{
+ "type": "bundle",
+ "id": "bundle--2ed5331f-0e16-49cf-a7bd-7b234fd1b1f0",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "modified": "2024-11-20T23:33:20.890Z",
+ "name": "FrostyGoop",
+ "description": "[FrostyGoop](https://attack.mitre.org/software/S1165) is a Windows-based binary written in Golang that allows for interaction with industrial control system (ICS) equipment via Modbus TCP over port 502. [FrostyGoop](https://attack.mitre.org/software/S1165) allows for reading and writing data to holding registers on targeted devices, manipulating the operation of systems for malicious purposes. [FrostyGoop](https://attack.mitre.org/software/S1165) is associated with the [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041) in Ukraine.(Citation: Dragos FROSTYGOOP 2024)(Citation: Nozomi BUSTLEBERM 2024)",
+ "x_mitre_platforms": [
+ "Control Server",
+ "Field Controller/RTU/PLC/IED"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_aliases": [
+ "FrostyGoop",
+ "BUSTLEBERM"
+ ],
+ "type": "malware",
+ "id": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05",
+ "created": "2024-11-20T23:02:16.588Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/software/S1165",
+ "external_id": "S1165"
+ },
+ {
+ "source_name": "BUSTLEBERM",
+ "description": "(Citation: Nozomi BUSTLEBERM 2024)"
+ },
+ {
+ "source_name": "Dragos FROSTYGOOP 2024",
+ "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
+ "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
+ },
+ {
+ "source_name": "Nozomi BUSTLEBERM 2024",
+ "description": "Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024.",
+ "url": "https://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "labels": [
+ "malware"
+ ],
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json b/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json
index fe63ef5167..c266b122f0 100644
--- a/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json
+++ b/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json
@@ -1,30 +1,9 @@
{
"type": "bundle",
- "id": "bundle--1f0c3b0d-3b4a-4887-8ca8-6a0df4a70e1d",
+ "id": "bundle--d485077a-787c-4c17-a7cf-ca21d618bbde",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-17T16:23:24.812Z",
- "name": "INCONTROLLER",
- "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. [INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed [INCONTROLLER](https://attack.mitre.org/software/S1045) was developed by CHERNOVITE.(Citation: CISA-AA22-103A)(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Schneider-Incontroller)(Citation: Wylie-22) ",
- "x_mitre_platforms": [
- "Field Controller/RTU/PLC/IED",
- "Safety Instrumented System/Protection Relay",
- "Engineering Workstation",
- "Windows"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_contributors": [
- "Jimmy Wylie, Dragos, Inc."
- ],
- "x_mitre_aliases": [
- "INCONTROLLER",
- "PIPEDREAM"
- ],
"type": "malware",
"id": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"created": "2022-09-28T20:07:40.272Z",
@@ -69,11 +48,32 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T21:26:25.242Z",
+ "name": "INCONTROLLER",
+ "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. [INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed [INCONTROLLER](https://attack.mitre.org/software/S1045) was developed by CHERNOVITE.(Citation: CISA-AA22-103A)(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Schneider-Incontroller)(Citation: Wylie-22) ",
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Field Controller/RTU/PLC/IED",
+ "Safety Instrumented System/Protection Relay",
+ "Engineering Workstation",
+ "Windows"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Jimmy Wylie, Dragos, Inc."
+ ],
+ "x_mitre_aliases": [
+ "INCONTROLLER",
+ "PIPEDREAM"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json b/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json
index 7978a7fadb..de81347859 100644
--- a/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json
+++ b/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0f45411b-38df-43f5-add6-2443c2891483",
+ "id": "bundle--216b84ce-bd3e-4330-b950-4d2a95a16da6",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json b/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json
index ce467e6b56..3f5f8abf4c 100644
--- a/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json
+++ b/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a2fd9289-4ac6-4dd0-a58c-decc2d869d8c",
+ "id": "bundle--55262866-d841-4bc7-9654-f72e2592f9a8",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json b/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json
index f87958ba09..3bfa343e33 100644
--- a/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json
+++ b/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json
@@ -1,26 +1,9 @@
{
"type": "bundle",
- "id": "bundle--4c79c910-72d0-46bf-85ab-e2533334a2ed",
+ "id": "bundle--09fd68b5-4641-4cc2-a180-2fc786fdfe57",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-12T17:51:18.408Z",
- "name": "Flame",
- "description": "[Flame](https://attack.mitre.org/software/S0143) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack",
- "ics-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_aliases": [
- "Flame",
- "Flamer",
- "sKyWIper"
- ],
"type": "malware",
"id": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"created": "2017-05-31T21:33:21.973Z",
@@ -63,11 +46,28 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
+ "modified": "2025-04-16T20:38:46.014Z",
+ "name": "Flame",
+ "description": "[Flame](https://attack.mitre.org/software/S0143) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)",
"labels": [
"malware"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_aliases": [
+ "Flame",
+ "Flamer",
+ "sKyWIper"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json b/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json
index bab2ad0e97..b0a942fe58 100644
--- a/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json
+++ b/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json
@@ -1,18 +1,17 @@
{
"type": "bundle",
- "id": "bundle--4a621e1b-2976-420b-bed5-c9e3b333c772",
+ "id": "bundle--386546a7-77a7-4763-891b-1bbd04fc81e4",
"spec_version": "2.0",
"objects": [
{
"definition": {
- "statement": "Copyright 2015-2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation."
+ "statement": "Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation."
},
"id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168",
"type": "marking-definition",
"created": "2017-06-01T00:00:00.000Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "definition_type": "statement",
- "x_mitre_attack_spec_version": "2.1.0"
+ "definition_type": "statement"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--007a2c53-fc5c-4750-aff0-defb282e178a.json b/ics-attack/relationship/relationship--007a2c53-fc5c-4750-aff0-defb282e178a.json
index 59f889c381..633005bb32 100644
--- a/ics-attack/relationship/relationship--007a2c53-fc5c-4750-aff0-defb282e178a.json
+++ b/ics-attack/relationship/relationship--007a2c53-fc5c-4750-aff0-defb282e178a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--468447c9-4234-4c9b-af3b-8ec5f76f0826",
+ "id": "bundle--db744683-6b26-4a05-af27-a84bae68e1b8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--007a2c53-fc5c-4750-aff0-defb282e178a",
"created": "2023-09-29T16:30:30.829Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:30:30.829Z",
+ "modified": "2025-04-16T23:00:49.087Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json b/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json
index 088b1ddc45..5ae30c6c50 100644
--- a/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json
+++ b/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--74ddde72-e426-4d9c-8c58-7ed8269e9fc4",
+ "id": "bundle--71cd99e8-f516-4813-a7c7-3f9df73ad44a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:15:33.180Z",
+ "modified": "2025-04-16T23:00:49.334Z",
"description": "Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--00b9e63b-57a7-408e-83d6-fc03535010a6.json b/ics-attack/relationship/relationship--00b9e63b-57a7-408e-83d6-fc03535010a6.json
index 5a804b0a29..cd591caf1c 100644
--- a/ics-attack/relationship/relationship--00b9e63b-57a7-408e-83d6-fc03535010a6.json
+++ b/ics-attack/relationship/relationship--00b9e63b-57a7-408e-83d6-fc03535010a6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--92eafc8a-5c13-47ad-ab0b-bc45369bcfb2",
+ "id": "bundle--ce9293f5-c646-4520-9e7e-d6cac5703456",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-27T15:17:22.734Z",
+ "modified": "2025-04-16T23:00:49.547Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used Valid Accounts taken from the Windows Domain Controller to access the control system Virtual Private Network (VPN) used by grid operators. (Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json b/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json
index f9487a7ca1..22a137779b 100644
--- a/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json
+++ b/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--b0c8bdb7-2c6b-40af-a1bd-7bfb1abfd596",
+ "id": "bundle--3481cdfb-a63a-4a54-a1e4-882e77b74531",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.104Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:00:49.763Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--011f1d16-c9f1-48ac-94f1-165466c155f8.json b/ics-attack/relationship/relationship--011f1d16-c9f1-48ac-94f1-165466c155f8.json
index 3317484bf7..8249fc8759 100644
--- a/ics-attack/relationship/relationship--011f1d16-c9f1-48ac-94f1-165466c155f8.json
+++ b/ics-attack/relationship/relationship--011f1d16-c9f1-48ac-94f1-165466c155f8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--652e3281-ca90-4abf-ba44-a265f2440475",
+ "id": "bundle--49f0022c-9dad-49bb-a39c-fdef9471c8fe",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--011f1d16-c9f1-48ac-94f1-165466c155f8",
"created": "2023-09-29T18:43:33.176Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:43:33.176Z",
+ "modified": "2025-04-16T23:00:49.972Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd.json b/ics-attack/relationship/relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd.json
index 001de90e6c..0389052a9e 100644
--- a/ics-attack/relationship/relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd.json
+++ b/ics-attack/relationship/relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e83e80e3-883b-4b39-b3e0-195d280aaf77",
+ "id": "bundle--cfacdc49-2f8d-4d2c-ad95-37a4ce9f2dc9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd",
"created": "2023-09-29T16:30:58.431Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:30:58.431Z",
+ "modified": "2025-04-16T23:00:50.177Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--01335508-22bb-4185-a7e2-49ec9bee6423.json b/ics-attack/relationship/relationship--01335508-22bb-4185-a7e2-49ec9bee6423.json
index 280ff13858..8a0ce19f0d 100644
--- a/ics-attack/relationship/relationship--01335508-22bb-4185-a7e2-49ec9bee6423.json
+++ b/ics-attack/relationship/relationship--01335508-22bb-4185-a7e2-49ec9bee6423.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4b42894b-9d5e-4724-a4b1-8d82fe5c4c76",
+ "id": "bundle--5f6a9208-44de-42c5-a67b-126a392c83c2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--01335508-22bb-4185-a7e2-49ec9bee6423",
"created": "2023-09-28T20:15:20.293Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:15:20.293Z",
+ "modified": "2025-04-16T23:00:50.425Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json b/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json
index 0267bd42df..63d08250bd 100644
--- a/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json
+++ b/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--840ece9a-f472-47ae-95ba-cc6b13639009",
+ "id": "bundle--49c0a089-973a-4a1d-8fad-696bcb3d6b37",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--01b4a92f-da42-4dfa-8d59-53709b65940e",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--01b4a92f-da42-4dfa-8d59-53709b65940e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.203Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:00:50.644Z",
"description": "Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0.json b/ics-attack/relationship/relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0.json
index f46c396730..a076d574cf 100644
--- a/ics-attack/relationship/relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0.json
+++ b/ics-attack/relationship/relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4de9a925-6ee0-4ead-995f-744dce35b90b",
+ "id": "bundle--b7ddbf28-7dc7-421a-beb6-724dc8567c35",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0",
"created": "2023-09-29T18:42:27.894Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:42:27.894Z",
+ "modified": "2025-04-16T23:00:50.855Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124.json b/ics-attack/relationship/relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124.json
index c40434d670..431eaedefd 100644
--- a/ics-attack/relationship/relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124.json
+++ b/ics-attack/relationship/relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--84e2e1d1-5fba-4454-8402-607a66aa1dfa",
+ "id": "bundle--581a113b-819f-4c4a-af18-f5e2159e56e6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124",
"created": "2023-09-29T18:55:47.037Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:55:47.037Z",
+ "modified": "2025-04-16T23:00:51.055Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json b/ics-attack/relationship/relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json
index 488cef7a03..bf1aaa4896 100644
--- a/ics-attack/relationship/relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json
+++ b/ics-attack/relationship/relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9ac62e55-092d-453d-98cb-da22ad2b34b0",
+ "id": "bundle--848c69ba-3493-4bbb-8968-71b4ee977630",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50",
"created": "2023-09-29T17:42:44.516Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:42:44.516Z",
+ "modified": "2025-04-16T23:00:51.276Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json b/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json
index f58f4f2e7a..fba434b269 100644
--- a/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json
+++ b/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--50bb649c-60d1-448b-984c-058c153df093",
+ "id": "bundle--a38fa2be-f434-4ea7-96e0-b290d3a1aee9",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:47:45.775Z",
+ "modified": "2025-04-16T23:00:51.476Z",
"description": "Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json b/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json
index 8d3fe276e0..ddfb727f1c 100644
--- a/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json
+++ b/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--a7d4e3c3-794a-4884-b4d2-e10997c5c617",
+ "id": "bundle--56987617-b003-4979-8b0d-1bdfc7603983",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.177Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:00:51.718Z",
"description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json b/ics-attack/relationship/relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json
index ba63b20617..a66e031dfe 100644
--- a/ics-attack/relationship/relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json
+++ b/ics-attack/relationship/relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--aae34751-bad1-44e0-80b3-6561b30cff53",
+ "id": "bundle--7c72148e-bef6-4f6a-96aa-5c6bb33102f8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c",
"created": "2023-09-29T17:59:31.091Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:59:31.091Z",
+ "modified": "2025-04-16T23:00:51.927Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--033b4401-261f-498b-89f3-2bad9ff5907a.json b/ics-attack/relationship/relationship--033b4401-261f-498b-89f3-2bad9ff5907a.json
index e8fba98835..289fd9e02c 100644
--- a/ics-attack/relationship/relationship--033b4401-261f-498b-89f3-2bad9ff5907a.json
+++ b/ics-attack/relationship/relationship--033b4401-261f-498b-89f3-2bad9ff5907a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--17d1c459-f57e-4a58-83d3-208238a8e419",
+ "id": "bundle--96e3348d-bc7e-4349-bfcd-3c6f0492c737",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--033b4401-261f-498b-89f3-2bad9ff5907a",
"created": "2023-09-29T17:58:15.338Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:58:15.338Z",
+ "modified": "2025-04-16T23:00:52.127Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json b/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json
index 6a740d7331..ff3e974dca 100644
--- a/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json
+++ b/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3ce7b1d1-8949-498b-a6f5-a353e1703d8a",
+ "id": "bundle--62dcba42-7428-4810-906d-434efd03f200",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:27:54.588Z",
+ "modified": "2025-04-16T23:00:52.331Z",
"description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57.json b/ics-attack/relationship/relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57.json
index e508c323b1..d5c23a7bbf 100644
--- a/ics-attack/relationship/relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57.json
+++ b/ics-attack/relationship/relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4df3251f-58e3-440e-84cf-f52279e2bca8",
+ "id": "bundle--a51fa034-c886-4b05-bd4c-d3dbe4b20118",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57",
"created": "2023-09-29T16:29:03.438Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:29:03.438Z",
+ "modified": "2025-04-16T23:00:52.555Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json b/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json
index 7588a5d83e..3837bb40be 100644
--- a/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json
+++ b/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5aab717f-554f-4cb4-a8ed-bf1d9f138d34",
+ "id": "bundle--d6585284-5637-4902-b315-86038e67d013",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:56:24.399Z",
+ "modified": "2025-04-16T23:00:52.840Z",
"description": "Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--03b4dae7-3b20-4ea9-9f7c-6c97582f98b7.json b/ics-attack/relationship/relationship--03b4dae7-3b20-4ea9-9f7c-6c97582f98b7.json
index 3f178f01be..86272d3314 100644
--- a/ics-attack/relationship/relationship--03b4dae7-3b20-4ea9-9f7c-6c97582f98b7.json
+++ b/ics-attack/relationship/relationship--03b4dae7-3b20-4ea9-9f7c-6c97582f98b7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1a18f5da-0445-4d5f-8a95-2ca16b8f2ffb",
+ "id": "bundle--36bb1d5a-c3f2-43fe-84c0-f1bbe02205c5",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-10T15:00:10.292Z",
+ "modified": "2025-04-16T23:00:53.062Z",
"description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) changed phone numbers tied to certain specific accounts in a designated contact list. They then used the changed phone numbers to redirect network traffic to websites controlled by them, thereby allowing them to capture and use any login codes sent to the devices via text message.(Citation: Triton-EENews-2017)",
"relationship_type": "uses",
"source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json b/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json
index b30d17336c..9f6c10dfe8 100644
--- a/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json
+++ b/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--3c0f2db3-1710-4aff-9654-c3c734ed5c4f",
+ "id": "bundle--1b8097dc-08a9-4c87-bc7d-d3fddee48be8",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.209Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:00:53.312Z",
"description": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e",
"target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json b/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json
index e6d195f758..590027755a 100644
--- a/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json
+++ b/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--83598c8c-b7cd-4adc-9d09-122f26670354",
+ "id": "bundle--aebdcc83-aada-4fc0-ae9a-5b40479d6f20",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91",
"created": "2023-03-30T19:00:12.380Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -23,16 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:00:12.380Z",
+ "modified": "2025-04-16T23:00:53.533Z",
"description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc",
"target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361.json b/ics-attack/relationship/relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361.json
index 5cb043d67b..b1a9689a01 100644
--- a/ics-attack/relationship/relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361.json
+++ b/ics-attack/relationship/relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3f8eb878-ea58-4cad-a006-87b87d1abd30",
+ "id": "bundle--5789cfcc-bca2-4120-bef7-6fd74d3404d7",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361",
"created": "2023-09-29T17:40:34.866Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:40:34.866Z",
+ "modified": "2025-04-16T23:00:53.760Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json b/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json
index d56e23b346..f68087f66c 100644
--- a/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json
+++ b/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--90248dd2-e962-403c-bf2a-44f992b7f04a",
+ "id": "bundle--6edb4e94-30a7-47ba-b715-8ccffad71ebd",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T16:04:03.547Z",
+ "modified": "2025-04-16T23:00:53.964Z",
"description": "[Dragonfly](https://attack.mitre.org/groups/G0035) utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) or [Trojan.Karagany](https://attack.mitre.org/software/S0094). (Citation: Symantec Security Response July 2014)",
"relationship_type": "uses",
"source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json b/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json
index 571f93f965..28ae50cb54 100644
--- a/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json
+++ b/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--2e756961-deb9-4bcb-a175-26a2e9ee2164",
+ "id": "bundle--180da89d-a044-4f4a-a019-cfeb65a568fd",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--04882fef-2a6b-40d0-a101-da9c76a3572e",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--04882fef-2a6b-40d0-a101-da9c76a3572e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.128Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:00:54.170Z",
"description": "Restrict the use of untrusted or unknown libraries, such as remote or unknown DLLs.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3",
"target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json b/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json
index 9534038a0d..3e8adfa9f4 100644
--- a/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json
+++ b/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--e14e66d6-a2a8-45e1-9141-afc030ee2b9a",
+ "id": "bundle--850a54e5-e9ea-4d9b-913d-6883b45d840f",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--0491ef92-2941-4841-9fe6-2e1809788b52",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--0491ef92-2941-4841-9fe6-2e1809788b52",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.210Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:00:54.429Z",
"description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
"target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863.json b/ics-attack/relationship/relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863.json
index 7c67d3315b..60df0070a1 100644
--- a/ics-attack/relationship/relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863.json
+++ b/ics-attack/relationship/relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--bd25413c-af9b-4085-9626-8f6a67daf48a",
+ "id": "bundle--d2ba8e61-4781-41da-a98e-4dd1239dd77b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863",
"created": "2023-09-28T20:29:11.776Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:29:11.776Z",
+ "modified": "2025-04-16T23:00:54.635Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json b/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json
index ee7e04aaec..62c64bd3c7 100644
--- a/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json
+++ b/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2df118e9-f70e-4d8a-9d40-998108bcb470",
+ "id": "bundle--2a409960-f8a8-4ad1-8a6d-a2e7bc5a01b1",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:54:26.520Z",
+ "modified": "2025-04-16T23:00:54.883Z",
"description": "[KillDisk](https://attack.mitre.org/software/S0607) erases the master boot record (MBR) and system logs, leaving the system unusable. (Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6",
"target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json b/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json
index 929874475b..e6d65e9202 100644
--- a/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json
+++ b/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--35eea08b-81ee-4253-8abc-726107c5f945",
+ "id": "bundle--7c0a4c38-c8c7-4497-8a11-9cb18b72eafe",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.218Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:00:55.092Z",
"description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--052552e9-eac0-4b37-9df8-2e921053e305.json b/ics-attack/relationship/relationship--052552e9-eac0-4b37-9df8-2e921053e305.json
index c36fe5ebd8..50f264ac63 100644
--- a/ics-attack/relationship/relationship--052552e9-eac0-4b37-9df8-2e921053e305.json
+++ b/ics-attack/relationship/relationship--052552e9-eac0-4b37-9df8-2e921053e305.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e6877e55-6c9f-4063-8b13-003c06873bbd",
+ "id": "bundle--6ab44cef-b2c5-4849-9015-df0a5e9c2087",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--052552e9-eac0-4b37-9df8-2e921053e305",
"created": "2023-03-30T19:05:17.003Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:05:17.003Z",
+ "modified": "2025-04-16T23:00:55.318Z",
"description": "Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
"target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json b/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json
index 84a2f2a9ce..b4adee6ea3 100644
--- a/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json
+++ b/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--525f8729-3870-4b06-9a24-4d556977ac02",
+ "id": "bundle--2b30e73f-0cc6-45e9-86d6-05a8d9fc25e6",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:30:17.124Z",
+ "modified": "2025-04-16T23:00:55.517Z",
"description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)",
"relationship_type": "uses",
"source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a",
"target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json b/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json
index 257aa4c582..f278cb525a 100644
--- a/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json
+++ b/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2b2e81e2-519d-41ed-bfca-1b1f07e39ca7",
+ "id": "bundle--4c9fdcfc-d301-43cd-a1cc-ceb8d7264cd0",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T15:16:59.156Z",
+ "modified": "2025-04-16T23:00:55.721Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely read the OCP UA structure from devices.(Citation: CISA-AA22-103A) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--06782c99-93de-4db9-9c30-6f96aef894d2.json b/ics-attack/relationship/relationship--06782c99-93de-4db9-9c30-6f96aef894d2.json
index 0205d9cc9a..0b8de32fed 100644
--- a/ics-attack/relationship/relationship--06782c99-93de-4db9-9c30-6f96aef894d2.json
+++ b/ics-attack/relationship/relationship--06782c99-93de-4db9-9c30-6f96aef894d2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8caf1519-59b9-45c0-af3b-5177f2616101",
+ "id": "bundle--2ffb694f-f34b-42e6-a3bc-8acf3daba562",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--06782c99-93de-4db9-9c30-6f96aef894d2",
"created": "2023-03-30T19:06:49.501Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:06:49.501Z",
+ "modified": "2025-04-16T23:00:55.947Z",
"description": "Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json b/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json
index 6e99a8880e..581af7ce3b 100644
--- a/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json
+++ b/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--913d7375-c16f-4d12-abcc-1bc7394520e2",
+ "id": "bundle--dcea733c-0e31-4dbd-baff-aed4b38b49b8",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:19:04.571Z",
+ "modified": "2025-04-16T23:00:56.182Z",
"description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)",
"relationship_type": "uses",
"source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974",
"target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json b/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json
index 7732452b1c..f5ad3c22cc 100644
--- a/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json
+++ b/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--6f66d6a1-8720-437e-8e9b-530a393250d0",
+ "id": "bundle--5e777510-d384-4b8c-b6b9-88965a0d155c",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.183Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:00:56.445Z",
"description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json b/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json
index 90a945f8eb..ad008fb0c3 100644
--- a/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json
+++ b/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json
@@ -1,33 +1,32 @@
{
"type": "bundle",
- "id": "bundle--4d350057-6ef7-434d-9f4d-71436a56eb99",
+ "id": "bundle--94a17d30-cc17-4d9a-a560-9e1cee143b11",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--06f15629-d050-434a-aed1-3bb3f90c97b2",
"created": "2022-09-27T15:22:37.864Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "Elastic - Koadiac Detection with EQL",
- "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.",
- "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
+ "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.",
+ "url": "https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T15:22:37.864Z",
+ "modified": "2025-04-16T23:00:56.652Z",
"description": "Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL) For added context on adversary procedures and background see [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json b/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json
index 3b498ba27a..2c48ef26ea 100644
--- a/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json
+++ b/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0dd42320-9a16-441f-b80e-200e4e133482",
+ "id": "bundle--7fb93ef5-e39e-4501-9a27-efeb76099990",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:12:43.166Z",
+ "modified": "2025-04-16T23:00:56.882Z",
"description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages over serial COM ports are blocked.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
"target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e.json b/ics-attack/relationship/relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e.json
index ecebdb5c72..e60447dd71 100644
--- a/ics-attack/relationship/relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e.json
+++ b/ics-attack/relationship/relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--04a6851f-d632-4dc8-bd49-5f4783aabbcd",
+ "id": "bundle--bc725a57-263a-4c61-bfa4-ab38f57efcd9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e",
"created": "2023-09-28T21:28:51.104Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:28:51.104Z",
+ "modified": "2025-04-16T23:00:57.095Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--076bfea6-309e-4804-a147-dffe93983481.json b/ics-attack/relationship/relationship--076bfea6-309e-4804-a147-dffe93983481.json
index a0db204a7e..45e988a57c 100644
--- a/ics-attack/relationship/relationship--076bfea6-309e-4804-a147-dffe93983481.json
+++ b/ics-attack/relationship/relationship--076bfea6-309e-4804-a147-dffe93983481.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--51fdd203-4e76-43a4-a287-dcdbbc39a149",
+ "id": "bundle--c9db45a4-bb99-4cd2-abd3-a372733cb241",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--076bfea6-309e-4804-a147-dffe93983481",
"created": "2023-09-28T20:16:17.295Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:16:17.295Z",
+ "modified": "2025-04-16T23:00:57.327Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json b/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json
index ff60aa2c2e..5f0c59172c 100644
--- a/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json
+++ b/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ba4eed2c-390b-4c4c-86b2-b5ab967b242c",
+ "id": "bundle--8e455f24-5269-4c21-ae76-87d4eac7fa1b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--07c0e166-f05e-413f-8f3e-f487317c9626",
"created": "2023-03-22T15:53:59.953Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-22T15:53:59.953Z",
+ "modified": "2025-04-16T23:00:57.527Z",
"description": "Devices and programs that receive command messages from remote systems (e.g., control servers) should verify those commands before taking any actions on them.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--07e06d21-e666-4274-838a-ef9996fdc0cd.json b/ics-attack/relationship/relationship--07e06d21-e666-4274-838a-ef9996fdc0cd.json
index c564294062..3ca0a49aed 100644
--- a/ics-attack/relationship/relationship--07e06d21-e666-4274-838a-ef9996fdc0cd.json
+++ b/ics-attack/relationship/relationship--07e06d21-e666-4274-838a-ef9996fdc0cd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4646258a-1d36-437a-8e5b-d74f6f7315d2",
+ "id": "bundle--a2025d8a-4dcc-42db-94a8-190523c8d148",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--07e06d21-e666-4274-838a-ef9996fdc0cd",
"created": "2023-09-28T20:05:45.540Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:05:45.540Z",
+ "modified": "2025-04-16T23:00:57.749Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json b/ics-attack/relationship/relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json
index e7ba6d6b9e..998e96c75b 100644
--- a/ics-attack/relationship/relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json
+++ b/ics-attack/relationship/relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9a623d3e-4308-4fdc-b97d-5c32496fd0de",
+ "id": "bundle--9e34b79c-19d4-4753-8132-5f6ecd307e74",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44",
"created": "2023-09-29T16:47:20.192Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:47:20.192Z",
+ "modified": "2025-04-16T23:00:57.964Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json b/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json
index 870b371d7f..b06d16eaa2 100644
--- a/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json
+++ b/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--c0987c07-3539-46b4-abf0-71c64648d281",
+ "id": "bundle--3a7f18ec-ce7e-46c3-a98a-70dc3a448b19",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--07f4d65d-4572-450f-8cb2-908fee97bd67",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--07f4d65d-4572-450f-8cb2-908fee97bd67",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.228Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:00:58.167Z",
"description": "Application control may be able to prevent the running of executables masquerading as other files.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json b/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json
index 385e20a9c4..1cf6a0d16d 100644
--- a/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json
+++ b/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--8343b78c-270b-4726-85a9-1d6069e1e689",
+ "id": "bundle--1ded25df-2328-45e3-9c55-a32ec405632f",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--08302021-aacf-428f-a0ce-e1034d925fb0",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--08302021-aacf-428f-a0ce-e1034d925fb0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.115Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:00:58.381Z",
"description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499",
"target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json b/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json
index 9689a6c326..127893d807 100644
--- a/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json
+++ b/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--4ab61378-84ec-4d83-8154-ac5f74cbb6fe",
+ "id": "bundle--530b0316-3510-4191-9d0b-0309d4032c94",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--088580e9-ccea-426e-9411-c1de60de650d",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--088580e9-ccea-426e-9411-c1de60de650d",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.206Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:00:58.605Z",
"description": "Devices should authenticate all messages between master and outstation assets.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json b/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json
index 8111ab1c8e..6c91602293 100644
--- a/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json
+++ b/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e9aebd4e-dbb7-4a35-b884-6a8d44f2a9ed",
+ "id": "bundle--8fbe6078-8972-4e91-8376-1c096ed52a38",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:57:47.375Z",
+ "modified": "2025-04-16T23:00:58.858Z",
"description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0951222a-42d1-4635-bb12-5285bc6500e0.json b/ics-attack/relationship/relationship--0951222a-42d1-4635-bb12-5285bc6500e0.json
index 434290b88b..9bc1594b76 100644
--- a/ics-attack/relationship/relationship--0951222a-42d1-4635-bb12-5285bc6500e0.json
+++ b/ics-attack/relationship/relationship--0951222a-42d1-4635-bb12-5285bc6500e0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0614105a-9070-4bcc-90a4-2f3568170f0a",
+ "id": "bundle--280712f4-9f46-4f48-8361-c66de90701f5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0951222a-42d1-4635-bb12-5285bc6500e0",
"created": "2023-09-28T20:15:45.244Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:15:45.244Z",
+ "modified": "2025-04-16T23:00:59.066Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--095456bc-898b-4c76-a062-ff0ea90aeab4.json b/ics-attack/relationship/relationship--095456bc-898b-4c76-a062-ff0ea90aeab4.json
index 446cebfbd3..1b175cb9a2 100644
--- a/ics-attack/relationship/relationship--095456bc-898b-4c76-a062-ff0ea90aeab4.json
+++ b/ics-attack/relationship/relationship--095456bc-898b-4c76-a062-ff0ea90aeab4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3d52ee79-ff0f-48c3-9ce8-6134ef21e086",
+ "id": "bundle--5b0b1988-20e6-4a83-98f3-c3f7c330d6c0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--095456bc-898b-4c76-a062-ff0ea90aeab4",
"created": "2023-09-28T21:25:05.393Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:25:05.393Z",
+ "modified": "2025-04-16T23:00:59.310Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--096c3136-dac9-4729-98c0-c8d870f2bd13.json b/ics-attack/relationship/relationship--096c3136-dac9-4729-98c0-c8d870f2bd13.json
index cd51d2f54a..44e6ea08f2 100644
--- a/ics-attack/relationship/relationship--096c3136-dac9-4729-98c0-c8d870f2bd13.json
+++ b/ics-attack/relationship/relationship--096c3136-dac9-4729-98c0-c8d870f2bd13.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--06df92bb-4390-4d11-833b-c8522976433d",
+ "id": "bundle--c44957dd-3567-48cb-b8d7-66706cfcdf0a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--096c3136-dac9-4729-98c0-c8d870f2bd13",
"created": "2023-09-28T19:42:01.055Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:42:01.055Z",
+ "modified": "2025-04-16T23:00:59.533Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json b/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json
index 3daca0e42a..6f9f67fdd1 100644
--- a/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json
+++ b/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--3c6ebeb4-82f7-4700-b8d4-506d56392e2d",
+ "id": "bundle--2a92752e-cb13-48c0-b1f0-fb183e1589eb",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--09977105-562f-4f45-a151-27a11a18031e",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--09977105-562f-4f45-a151-27a11a18031e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.164Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:00:59.755Z",
"description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--09e0c991-1707-431b-a0fd-fd8215e6d552.json b/ics-attack/relationship/relationship--09e0c991-1707-431b-a0fd-fd8215e6d552.json
index 99de1d2b07..6b53ec98e2 100644
--- a/ics-attack/relationship/relationship--09e0c991-1707-431b-a0fd-fd8215e6d552.json
+++ b/ics-attack/relationship/relationship--09e0c991-1707-431b-a0fd-fd8215e6d552.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c6b239ae-62a2-43f2-9e15-625fd52e78d7",
+ "id": "bundle--2dbed577-3fbd-41ad-922a-a0c8a173e93c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--09e0c991-1707-431b-a0fd-fd8215e6d552",
"created": "2023-09-28T20:30:12.291Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:30:12.291Z",
+ "modified": "2025-04-16T23:00:59.961Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json b/ics-attack/relationship/relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json
index 460e33d532..483982526d 100644
--- a/ics-attack/relationship/relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json
+++ b/ics-attack/relationship/relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a4c97efc-6f36-4136-abcf-470104eee770",
+ "id": "bundle--2003ba06-4126-4627-b8ab-03543ccaa12a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6",
"created": "2023-09-28T19:53:56.266Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:53:56.266Z",
+ "modified": "2025-04-16T23:01:00.211Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json b/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json
index 38c46e1f06..8ada3df8d4 100644
--- a/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json
+++ b/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--21ec57b2-5744-4fc1-a464-3614b3aee698",
+ "id": "bundle--cb53296d-f36c-4bf8-adf8-b42198ea3f21",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:41:46.146Z",
+ "modified": "2025-04-16T23:01:00.433Z",
"description": "Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0a421699-f013-49f4-9d9f-01d95d210510.json b/ics-attack/relationship/relationship--0a421699-f013-49f4-9d9f-01d95d210510.json
index 8256b1532a..a58249931f 100644
--- a/ics-attack/relationship/relationship--0a421699-f013-49f4-9d9f-01d95d210510.json
+++ b/ics-attack/relationship/relationship--0a421699-f013-49f4-9d9f-01d95d210510.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9cfbc246-6324-486d-b922-84d4d7057f18",
+ "id": "bundle--82548ded-959b-4965-ac42-63216ad780ea",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0a421699-f013-49f4-9d9f-01d95d210510",
"created": "2023-09-28T19:37:25.214Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:37:25.214Z",
+ "modified": "2025-04-16T23:01:00.654Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json b/ics-attack/relationship/relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json
index 1b6027a686..8fcfb5a04a 100644
--- a/ics-attack/relationship/relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json
+++ b/ics-attack/relationship/relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ca106575-d48b-48ee-aad1-6c41c31b3bbc",
+ "id": "bundle--7eb12b15-84e2-4e99-acc0-fbe21be9087d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a",
"created": "2023-09-29T17:38:04.048Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:38:04.048Z",
+ "modified": "2025-04-16T23:01:00.869Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json b/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json
index 2337b55918..12265769ce 100644
--- a/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json
+++ b/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dbe836a1-c699-40fc-8925-5c526ec94cd6",
+ "id": "bundle--c94bcb55-8077-4c10-b6b0-39da9c4762f3",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:29:20.151Z",
+ "modified": "2025-04-16T23:01:01.074Z",
"description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json b/ics-attack/relationship/relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json
index 8f6a485032..274ca7e79d 100644
--- a/ics-attack/relationship/relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json
+++ b/ics-attack/relationship/relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--33e7744d-2ac2-46cf-ac0b-ebfd339daaf9",
+ "id": "bundle--430ffba5-96f4-45f3-9962-fe84728ac420",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91",
"created": "2023-10-02T20:23:11.865Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:23:11.865Z",
+ "modified": "2025-04-16T23:01:01.311Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json b/ics-attack/relationship/relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json
index b50f6c9029..a942ab7e30 100644
--- a/ics-attack/relationship/relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json
+++ b/ics-attack/relationship/relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9c7ea4d7-be53-415a-a05c-4e1cf671c5fb",
+ "id": "bundle--87dab889-bcd6-4a79-a86b-d8adc773c2a2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42",
"created": "2023-09-28T19:59:10.561Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:59:10.561Z",
+ "modified": "2025-04-16T23:01:01.508Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json b/ics-attack/relationship/relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json
index 8f5fe9f5f1..b31c22fcc9 100644
--- a/ics-attack/relationship/relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json
+++ b/ics-attack/relationship/relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--19537b87-22b3-48bd-8f25-ec020dfe1ee0",
+ "id": "bundle--6b4d0e0d-2e3c-4f84-9552-27c9c29b1769",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f",
"created": "2023-09-28T21:22:48.239Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:22:48.239Z",
+ "modified": "2025-04-16T23:01:01.731Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json b/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json
index b8be2b0c83..2bbdc2e0ed 100644
--- a/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json
+++ b/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a4a28e16-c43b-4c23-94fb-c395d0eda3ac",
+ "id": "bundle--2a53c87a-7d17-4bf1-b890-04b41a11ec64",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:54:38.303Z",
+ "modified": "2025-04-16T23:01:01.935Z",
"description": "Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b.json b/ics-attack/relationship/relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b.json
index 7024eec35b..d4554e8b36 100644
--- a/ics-attack/relationship/relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b.json
+++ b/ics-attack/relationship/relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--aaf6b1df-4978-4c2e-932a-eccae5337eb0",
+ "id": "bundle--e23f74ed-068e-4abb-b8c3-b5f12f77070d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b",
"created": "2023-09-29T18:46:22.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:46:22.739Z",
+ "modified": "2025-04-16T23:01:02.137Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016.json b/ics-attack/relationship/relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016.json
index 03d44010ec..482ae8d1c9 100644
--- a/ics-attack/relationship/relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016.json
+++ b/ics-attack/relationship/relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--472fe1f6-f1fd-44ad-807b-ed054e76b5cf",
+ "id": "bundle--05cb293e-570f-424f-9209-605fba53b8ad",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016",
"created": "2023-09-28T20:10:34.479Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:10:34.479Z",
+ "modified": "2025-04-16T23:01:02.390Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json b/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json
index e93212a64c..3d2c504ee7 100644
--- a/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json
+++ b/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--107f8526-9744-4e9e-a7c7-ba1f44853dda",
+ "id": "bundle--abf35528-c54b-45ce-a4d2-710ac6692e04",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T15:41:15.111Z",
+ "modified": "2025-04-16T23:01:02.594Z",
"description": "[APT33](https://attack.mitre.org/groups/G0064) utilize backdoors capable of capturing screenshots once installed on a system. (Citation: Jacqueline O'Leary et al. September 2017)(Citation: Junnosuke Yagi March 2017)",
"relationship_type": "uses",
"source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f",
"target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json b/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json
index 946556fdd9..b1bd6702d2 100644
--- a/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json
+++ b/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4b605a7a-8123-4ee6-a96e-94d64eb5710c",
+ "id": "bundle--809edb24-730c-4316-91d4-a0fd0876510a",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:30:30.761Z",
+ "modified": "2025-04-16T23:01:02.827Z",
"description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)",
"relationship_type": "uses",
"source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json b/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json
index 450f143418..845b569694 100644
--- a/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json
+++ b/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d02f2a9e-aa39-466e-a9e3-e11e144c458b",
+ "id": "bundle--bc4f1e04-32f1-4bf2-a79a-2cba1bcacc38",
"spec_version": "2.0",
"objects": [
{
@@ -29,15 +29,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T13:19:56.151Z",
+ "modified": "2025-04-16T23:01:03.032Z",
"description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json b/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json
index e427d9a10b..a77d915f85 100644
--- a/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json
+++ b/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--88bc4550-536f-4fae-b6e5-fe172f3995fe",
+ "id": "bundle--4a7b3fd6-7a73-4ca8-b85a-000bb2b27519",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a",
"created": "2022-09-27T15:49:26.908Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T15:49:26.908Z",
+ "modified": "2025-04-16T23:01:03.264Z",
"description": "Monitor asset application logs for information that indicate task parameters have changed.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0c72593d-fcc6-4023-8771-bed5e243310e.json b/ics-attack/relationship/relationship--0c72593d-fcc6-4023-8771-bed5e243310e.json
index f0eebb18f0..0fce4dfcf2 100644
--- a/ics-attack/relationship/relationship--0c72593d-fcc6-4023-8771-bed5e243310e.json
+++ b/ics-attack/relationship/relationship--0c72593d-fcc6-4023-8771-bed5e243310e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--79c1ec5a-03cf-4afe-887d-415784435373",
+ "id": "bundle--24c09f34-1fd2-40ac-89f2-aa1a50d60760",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0c72593d-fcc6-4023-8771-bed5e243310e",
"created": "2023-09-28T21:24:37.417Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:24:37.417Z",
+ "modified": "2025-04-16T23:01:03.462Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json b/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json
index fd8f42a7fd..aadc585b3e 100644
--- a/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json
+++ b/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--dd93f7d7-51d0-4e49-9d0d-e47a9107e782",
+ "id": "bundle--8764f673-053a-46ac-93ba-efbbda8059fc",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.070Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:03.714Z",
"description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
"target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8.json b/ics-attack/relationship/relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8.json
index 2ade09b3df..d42753c6a1 100644
--- a/ics-attack/relationship/relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8.json
+++ b/ics-attack/relationship/relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c1b48cc7-4cb0-447e-9be8-2586961c459f",
+ "id": "bundle--345b5636-af70-46e3-8b25-3b05b998999e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8",
"created": "2023-09-28T19:51:27.775Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:51:27.775Z",
+ "modified": "2025-04-16T23:01:03.908Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json b/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json
index 81d58a0543..1310ef69c2 100644
--- a/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json
+++ b/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a2e51cc8-e35b-42dc-9631-25ab16a3e002",
+ "id": "bundle--d6ebf91c-bd41-4982-9890-54e0a92a68f8",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:43:33.144Z",
+ "modified": "2025-04-16T23:01:04.114Z",
"description": "Monitor ICS management protocols for functions that change an asset\u2019s operating mode.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json b/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json
index e3e6ee57ef..465cad11da 100644
--- a/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json
+++ b/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--107a27e5-bd8c-404c-9bef-ce549bab8ac2",
+ "id": "bundle--2abd616f-935f-4aa4-847c-9601b38ec14c",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T15:17:08.493Z",
+ "modified": "2025-04-16T23:01:04.329Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely send commands to a malicious agent uploaded on Omron PLCs over HTTP or HTTPS.(Citation: CISA-AA22-103A) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0d52eea3-394e-492b-944b-9ccb6348329d.json b/ics-attack/relationship/relationship--0d52eea3-394e-492b-944b-9ccb6348329d.json
index eaf9fe33d3..67918b3d5c 100644
--- a/ics-attack/relationship/relationship--0d52eea3-394e-492b-944b-9ccb6348329d.json
+++ b/ics-attack/relationship/relationship--0d52eea3-394e-492b-944b-9ccb6348329d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c8d76181-781b-4000-823f-debc8a15590a",
+ "id": "bundle--86604380-9007-4079-ba65-372dddb4b81e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0d52eea3-394e-492b-944b-9ccb6348329d",
"created": "2023-09-28T21:14:41.633Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:14:41.633Z",
+ "modified": "2025-04-16T23:01:04.553Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json b/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json
index b4b1373ba8..ddcf445ab8 100644
--- a/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json
+++ b/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6d4d75b1-0cf8-4997-bc6e-0ccc01fdd704",
+ "id": "bundle--11aebc7d-1715-470f-b7b6-3a14dc5f8cf4",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-30T16:00:14.208Z",
+ "modified": "2025-04-16T23:01:04.765Z",
"description": "Monitor ICS automation network protocols for functions related to reading an operational process state (e.g., \u201cRead\u201d function codes in protocols like DNP3 or Modbus). In some cases, there may be multiple ways to monitor an operational process\u2019 state, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0d563cbc-b22c-4748-b082-db98bb7f0dab.json b/ics-attack/relationship/relationship--0d563cbc-b22c-4748-b082-db98bb7f0dab.json
new file mode 100644
index 0000000000..eeef63ca1d
--- /dev/null
+++ b/ics-attack/relationship/relationship--0d563cbc-b22c-4748-b082-db98bb7f0dab.json
@@ -0,0 +1,37 @@
+{
+ "type": "bundle",
+ "id": "bundle--179ee913-d8d3-4fb9-a354-4ad2118d4e52",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--0d563cbc-b22c-4748-b082-db98bb7f0dab",
+ "created": "2024-11-20T23:08:24.321Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Dragos FROSTYGOOP 2024",
+ "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
+ "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
+ },
+ {
+ "source_name": "Nozomi BUSTLEBERM 2024",
+ "description": "Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024.",
+ "url": "https://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:04.991Z",
+ "description": "[FrostyGoop](https://attack.mitre.org/software/S1165) allows for the modification of system settings by reading and writing to registers via Modbus commands.(Citation: Dragos FROSTYGOOP 2024)(Citation: Nozomi BUSTLEBERM 2024)",
+ "relationship_type": "uses",
+ "source_ref": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05",
+ "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0d8e0324-ba8e-4712-a123-60377afe94da.json b/ics-attack/relationship/relationship--0d8e0324-ba8e-4712-a123-60377afe94da.json
index b210b3f3fc..cf4799cc21 100644
--- a/ics-attack/relationship/relationship--0d8e0324-ba8e-4712-a123-60377afe94da.json
+++ b/ics-attack/relationship/relationship--0d8e0324-ba8e-4712-a123-60377afe94da.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b8113aed-df3b-49d8-be96-17024f13440e",
+ "id": "bundle--f9579ab7-73d6-4ee6-8f86-ae81f8384e13",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0d8e0324-ba8e-4712-a123-60377afe94da",
"created": "2023-09-29T18:48:17.073Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:48:17.073Z",
+ "modified": "2025-04-16T23:01:05.201Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136.json b/ics-attack/relationship/relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136.json
index 0489d7b525..0f00a779f8 100644
--- a/ics-attack/relationship/relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136.json
+++ b/ics-attack/relationship/relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--00e5995d-266c-446e-b3e8-e1edd2fc0b49",
+ "id": "bundle--f3c48c94-691f-4751-88e3-b55ea9be1d2f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136",
"created": "2023-09-29T17:57:12.010Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:57:12.010Z",
+ "modified": "2025-04-16T23:01:05.408Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json b/ics-attack/relationship/relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json
index ab67329f22..b57075e016 100644
--- a/ics-attack/relationship/relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json
+++ b/ics-attack/relationship/relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--07a87396-5ba9-4be3-9fa2-0bcef37cbe9d",
+ "id": "bundle--e988de92-4dd3-400b-89c3-62833898955b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc",
"created": "2022-09-26T14:27:28.370Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:27:28.370Z",
+ "modified": "2025-04-16T23:01:05.617Z",
"description": "Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json b/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json
index 204f1d37e7..d94b86b53f 100644
--- a/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json
+++ b/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--c690de0d-aad6-495f-81b7-cc6d31971ca4",
+ "id": "bundle--8c4b3477-c9d5-4009-9833-cd81af9688ae",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--0df0cb6d-0067-48b2-a33e-495415713ab7",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--0df0cb6d-0067-48b2-a33e-495415713ab7",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.181Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:05.825Z",
"description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81.json b/ics-attack/relationship/relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81.json
index db66dd6c62..fc93c7118a 100644
--- a/ics-attack/relationship/relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81.json
+++ b/ics-attack/relationship/relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--28ebdec5-1e0c-4bab-a1a7-0879656a581c",
+ "id": "bundle--b6866373-8d78-4a60-b1cc-defc32da3b2b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81",
"created": "2024-04-09T20:58:17.933Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:58:17.933Z",
+ "modified": "2025-04-16T23:01:06.044Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954.json b/ics-attack/relationship/relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954.json
index 6c3cb37db0..dca373b3bd 100644
--- a/ics-attack/relationship/relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954.json
+++ b/ics-attack/relationship/relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a2057259-651c-4e01-b129-b2819eaf035d",
+ "id": "bundle--51026a90-7cf7-4910-9e7f-435d44f09096",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954",
"created": "2023-09-29T16:27:50.949Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:27:50.949Z",
+ "modified": "2025-04-16T23:01:06.275Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json b/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json
index 2d1d93e165..00c5f81491 100644
--- a/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json
+++ b/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ae1cbd65-1f4b-40e4-a64c-ebff92e3b910",
+ "id": "bundle--092e097c-626d-45ca-be74-0abc38dd2fb0",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:34:04.450Z",
+ "modified": "2025-04-16T23:01:06.504Z",
"description": "Monitor industrial process history data for events that correspond with command message functions, such as setpoint modification or changes to system status for key devices. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json b/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json
index f65b5caddf..ace4cde6f0 100644
--- a/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json
+++ b/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4563b12b-d6e9-488d-ba8f-074e2ef94bd9",
+ "id": "bundle--44742d54-b1c3-4530-bb25-c068a38187ec",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:09:52.454Z",
+ "modified": "2025-04-16T23:01:06.755Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json b/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json
index 31543fff39..0917e017c5 100644
--- a/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json
+++ b/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--04ac147e-3324-44a2-b17c-2509f67459c7",
+ "id": "bundle--67d6c763-0400-4cc2-8dbf-508b37fd0831",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.202Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:06.954Z",
"description": "Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json b/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json
index 8e46edc613..a84786feb7 100644
--- a/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json
+++ b/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d811d269-1a94-469f-80d8-fb588907a01f",
+ "id": "bundle--b933ab85-c47d-4c8a-ac1b-2c4907df190f",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T15:40:08.649Z",
+ "modified": "2025-04-16T23:01:07.197Z",
"description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized credentials collected through phishing and watering hole attacks. (Citation: Dragos)",
"relationship_type": "uses",
"source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29.json b/ics-attack/relationship/relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29.json
index 4b3074aae4..4806cbedb8 100644
--- a/ics-attack/relationship/relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29.json
+++ b/ics-attack/relationship/relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--27a948ba-2ad9-43be-81b5-7ccd14367d3b",
+ "id": "bundle--9e01d7ef-dca6-4637-a6d3-7462eab3f582",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29",
"created": "2023-09-29T17:57:34.378Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:57:34.378Z",
+ "modified": "2025-04-16T23:01:07.422Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json b/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json
index 6e6065d7fa..dca4a51291 100644
--- a/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json
+++ b/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--29a6fccc-3b96-46b5-b16c-a1a9b1f1854b",
+ "id": "bundle--ab8ac175-18fe-4179-8a50-8540f202f669",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T15:41:49.943Z",
+ "modified": "2025-04-16T23:01:07.639Z",
"description": "[APT33](https://attack.mitre.org/groups/G0064) sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. (Citation: Jacqueline O'Leary et al. September 2017) [APT33](https://attack.mitre.org/groups/G0064) has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. (Citation: Andy Greenburg June 2019)",
"relationship_type": "uses",
"source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0f5295ce-d705-4541-8dda-c569b126d103.json b/ics-attack/relationship/relationship--0f5295ce-d705-4541-8dda-c569b126d103.json
index 45f2b8312d..864a83bbe4 100644
--- a/ics-attack/relationship/relationship--0f5295ce-d705-4541-8dda-c569b126d103.json
+++ b/ics-attack/relationship/relationship--0f5295ce-d705-4541-8dda-c569b126d103.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f41f649a-4c15-43bd-afaf-5cb8eeb65d5d",
+ "id": "bundle--525f4d8d-33ea-41be-9a90-cc1fb9f1d185",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0f5295ce-d705-4541-8dda-c569b126d103",
"created": "2023-10-02T20:24:03.723Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:24:03.723Z",
+ "modified": "2025-04-16T23:01:07.855Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72.json b/ics-attack/relationship/relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72.json
index 97294c804e..3b2a891cbe 100644
--- a/ics-attack/relationship/relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72.json
+++ b/ics-attack/relationship/relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--182aabe3-4dfd-4a6b-b034-fc8eb7acf8b0",
+ "id": "bundle--d8e251e2-384a-46a1-ab66-0a40f0d0eb9b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72",
"created": "2023-09-29T17:09:11.210Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:09:11.210Z",
+ "modified": "2025-04-16T23:01:08.076Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json b/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json
index ea45888c34..6ffc7720a5 100644
--- a/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json
+++ b/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--895ca5f6-aab5-4b79-af19-844d713eac77",
+ "id": "bundle--f928399f-eb79-4176-8a21-7411a3b6f366",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.197Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:08.311Z",
"description": "Devices should authenticate all messages between master and outstation assets.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json b/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json
index e35fcf2706..8f7895da78 100644
--- a/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json
+++ b/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--3858861b-19f8-494f-bb43-361e589f5574",
+ "id": "bundle--308aab39-8f57-43a4-9cb9-e1a9331ba8f1",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.209Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:08.518Z",
"description": "Ensure proper network segmentation between higher level corporate resources and the control process environment.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
"target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json b/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json
index d9b1121b8d..4697b16219 100644
--- a/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json
+++ b/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--b4538148-8254-49e4-a589-626b29c6c201",
+ "id": "bundle--8312be7c-7188-4ee3-be77-d758dcc09738",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.137Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:08.728Z",
"description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848",
"target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json b/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json
index da5ea6502f..cf42641398 100644
--- a/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json
+++ b/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--e8df454f-6cfc-45ed-9361-27889cf220d0",
+ "id": "bundle--1e0e263c-43d7-47f2-9c39-5f854c27185b",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.229Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:08.938Z",
"description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json b/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json
index 56addccc35..bd247cb369 100644
--- a/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json
+++ b/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--8f6e77a4-3008-4b85-971c-72adcb95ec1d",
+ "id": "bundle--46cafa8d-6fe1-49c5-a96f-15b63fe2b92d",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--10626671-941d-4a82-a835-56059058ef87",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.065Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:09.172Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--106530e1-375a-4ac4-befb-8297b3b05610.json b/ics-attack/relationship/relationship--106530e1-375a-4ac4-befb-8297b3b05610.json
index d098a1f888..01caec1b70 100644
--- a/ics-attack/relationship/relationship--106530e1-375a-4ac4-befb-8297b3b05610.json
+++ b/ics-attack/relationship/relationship--106530e1-375a-4ac4-befb-8297b3b05610.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f35c26a8-a6cf-4688-963f-90614d38a496",
+ "id": "bundle--83acd70f-c1b8-4674-8e7d-2b94fdf256d5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--106530e1-375a-4ac4-befb-8297b3b05610",
"created": "2023-09-29T18:55:58.199Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:55:58.199Z",
+ "modified": "2025-04-16T23:01:09.431Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json b/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json
index 02c15cd86e..46477803a5 100644
--- a/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json
+++ b/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--24e6fa97-6317-4ff0-98fc-c8cd5f6566e2",
+ "id": "bundle--44693fd6-2fa1-4dc7-a6f5-011cd4e33ef2",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--107d9a23-991b-44f5-97f6-7f6983c7013a",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--107d9a23-991b-44f5-97f6-7f6983c7013a",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.099Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:09.650Z",
"description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json b/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json
index 08c8ab62cc..f46904fc0d 100644
--- a/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json
+++ b/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--34fde642-7088-4fed-8148-e8dbfa4fd994",
+ "id": "bundle--15e222e3-5b5b-4504-ac8b-8383e58fbea8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--10e87e4b-a231-42e3-a011-0031f8226936",
"created": "2022-09-26T17:15:51.819Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T17:15:51.819Z",
+ "modified": "2025-04-16T23:01:09.874Z",
"description": "Monitor for firmware changes which may be observable via operational alarms from devices.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json b/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json
index 47393e6ca9..704a72ad63 100644
--- a/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json
+++ b/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9b52fb20-f029-4bda-8900-eba76525d80f",
+ "id": "bundle--e029dbcd-a96e-4792-9aea-07caa31908d8",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:09:35.145Z",
+ "modified": "2025-04-16T23:01:10.104Z",
"description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if reporting messages are blocked. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
"target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json b/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json
index 2b55b4ce09..619dc77809 100644
--- a/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json
+++ b/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--ce66ac49-b22b-4afd-8898-05b45a936756",
+ "id": "bundle--b14df371-529e-457a-9193-682fdfa784ed",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--111f437a-c67d-40e4-9515-7e9b22e65eff",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.234Z",
- "relationship_type": "mitigates",
- "description": "Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. (Citation: Microsoft May 2017) (Citation: Microsoft August 2018)These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft February 2019)\n",
- "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
- "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Microsoft May 2017",
@@ -33,9 +25,16 @@
"url": "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:10.323Z",
+ "description": "Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. (Citation: Microsoft May 2017) (Citation: Microsoft August 2018)These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft February 2019)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
+ "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--11840b30-f0d1-4df5-a960-cdb80749c32a.json b/ics-attack/relationship/relationship--11840b30-f0d1-4df5-a960-cdb80749c32a.json
index bf2d5431f4..b4ebc0f30a 100644
--- a/ics-attack/relationship/relationship--11840b30-f0d1-4df5-a960-cdb80749c32a.json
+++ b/ics-attack/relationship/relationship--11840b30-f0d1-4df5-a960-cdb80749c32a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--199d6fce-ff75-4fbc-9a9b-be6816040603",
+ "id": "bundle--4b717a99-e380-498b-9aff-0eb2fe5f1065",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--11840b30-f0d1-4df5-a960-cdb80749c32a",
"created": "2023-09-29T17:07:25.209Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:07:25.209Z",
+ "modified": "2025-04-16T23:01:10.529Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--11a82651-4d69-4738-89c6-17d0243cbbb0.json b/ics-attack/relationship/relationship--11a82651-4d69-4738-89c6-17d0243cbbb0.json
index 369e9ba90d..93d750a132 100644
--- a/ics-attack/relationship/relationship--11a82651-4d69-4738-89c6-17d0243cbbb0.json
+++ b/ics-attack/relationship/relationship--11a82651-4d69-4738-89c6-17d0243cbbb0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7050ec2b-61d0-4a0b-a090-a033c04c0506",
+ "id": "bundle--8ca3992b-2a44-4b6a-8fce-b3072c47fad8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--11a82651-4d69-4738-89c6-17d0243cbbb0",
"created": "2023-09-29T17:37:26.536Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:37:26.536Z",
+ "modified": "2025-04-16T23:01:10.753Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json b/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json
index 19ff5b7e7d..d070dfff8e 100644
--- a/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json
+++ b/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d91bff05-2288-47d2-aa6c-b513d8255e3f",
+ "id": "bundle--9a53c578-8dc7-4c2a-bd6d-3eed7b35ffa0",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T17:07:03.003Z",
+ "modified": "2025-04-16T23:01:10.974Z",
"description": "Program uploads may be observable in ICS management protocols or file transfer protocols. Note when protocol functions related to program uploads occur. In cases where the ICS protocols is not well understood, one option is to examine network traffic for the program files themselves using signature-based tools.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json b/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json
index 53d02a8df3..474d7066bd 100644
--- a/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json
+++ b/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bcf1c6f6-99b9-48a6-8004-60da6b928f6e",
+ "id": "bundle--43f3b357-dd99-42c9-8228-e27898c32f13",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:45:28.094Z",
+ "modified": "2025-04-16T23:01:11.177Z",
"description": "Before encrypting the process, [EKANS](https://attack.mitre.org/software/S0605) first kills the process if its name matches one of the processes defined on the kill-list. (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. (Citation: Ben Hunter and Fred Gutierrez July 2020)",
"relationship_type": "uses",
"source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--128de3f9-df58-4122-9523-0ac65a6ebf71.json b/ics-attack/relationship/relationship--128de3f9-df58-4122-9523-0ac65a6ebf71.json
index 163dbfdc6d..1396bcb15f 100644
--- a/ics-attack/relationship/relationship--128de3f9-df58-4122-9523-0ac65a6ebf71.json
+++ b/ics-attack/relationship/relationship--128de3f9-df58-4122-9523-0ac65a6ebf71.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7a9332b2-176c-4a87-8fda-c8b79b16da05",
+ "id": "bundle--8c0e8db0-f374-4685-8821-9e788f78f13a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--128de3f9-df58-4122-9523-0ac65a6ebf71",
"created": "2023-09-29T17:45:20.237Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:45:20.237Z",
+ "modified": "2025-04-16T23:01:11.438Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json b/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json
index b5581b64e2..9606f57677 100644
--- a/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json
+++ b/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--434b47ce-0934-400f-be97-017acaaff76a",
+ "id": "bundle--6b04b581-7e6f-482e-a9bf-f8391eab555f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:10:34.653Z",
+ "modified": "2025-04-16T23:01:11.643Z",
"description": "Monitor for a loss of network communications, which may indicate this technique is being used.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json b/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json
index 291a5e73c8..141b739d5d 100644
--- a/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json
+++ b/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json
@@ -1,30 +1,30 @@
{
"type": "bundle",
- "id": "bundle--35664585-5bfb-47ee-b29b-a29d8855e1d9",
+ "id": "bundle--d7ee4f5d-5bb4-4aba-9378-10782c0df82f",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693",
"type": "relationship",
+ "id": "relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693",
"created": "2022-03-09T23:42:34.056Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Secureworks IRON VIKING ",
- "url": "https://www.secureworks.com/research/threat-profiles/iron-viking",
- "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."
+ "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.",
+ "url": "https://www.secureworks.com/research/threat-profiles/iron-viking"
}
],
- "modified": "2022-03-09T23:42:34.056Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:57:44.250Z",
"description": "(Citation: Secureworks IRON VIKING )",
"relationship_type": "uses",
"source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
"target_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a",
- "x_mitre_version": "1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json b/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json
index 1b1c15244c..0fb5bef436 100644
--- a/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json
+++ b/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--6ab64e47-d833-4885-be12-1a72f3b7c00e",
+ "id": "bundle--6fdde8c0-2c19-433c-8b8e-cec269f9fe0c",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.077Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:11.964Z",
"description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json b/ics-attack/relationship/relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json
index 1c59e1f381..01a96e0632 100644
--- a/ics-attack/relationship/relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json
+++ b/ics-attack/relationship/relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--569e1b06-c92d-483d-a8ce-ec8195696b54",
+ "id": "bundle--826b8e2c-7968-4c42-bfb1-a73787ab965e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4",
"created": "2023-09-28T21:13:23.057Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:13:23.057Z",
+ "modified": "2025-04-16T23:01:12.182Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--12e84466-fb05-4d55-9220-5933ee0fcb43.json b/ics-attack/relationship/relationship--12e84466-fb05-4d55-9220-5933ee0fcb43.json
new file mode 100644
index 0000000000..f2a97a7d99
--- /dev/null
+++ b/ics-attack/relationship/relationship--12e84466-fb05-4d55-9220-5933ee0fcb43.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--fe6adc15-1474-4f25-81d3-0d012f692877",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--12e84466-fb05-4d55-9220-5933ee0fcb43",
+ "created": "2024-11-20T23:16:42.816Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Dragos FROSTYGOOP 2024",
+ "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
+ "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:12.437Z",
+ "description": "[FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041) used [FrostyGoop](https://attack.mitre.org/software/S1165) to manipulate OT devices to induce a district heating disruption in Ukraine.(Citation: Dragos FROSTYGOOP 2024)",
+ "relationship_type": "uses",
+ "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f",
+ "target_ref": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36.json b/ics-attack/relationship/relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36.json
index 6359aa1245..ff6f053afa 100644
--- a/ics-attack/relationship/relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36.json
+++ b/ics-attack/relationship/relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--43771bb6-9057-454e-a749-e838cb3fa021",
+ "id": "bundle--db03fcb4-08b3-4a26-b365-eb438ecc03ba",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36",
"created": "2023-09-28T19:39:58.335Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:39:58.335Z",
+ "modified": "2025-04-16T23:01:12.635Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json b/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json
index 0bb09601d8..a6ad57f222 100644
--- a/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json
+++ b/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8ed91eee-5d3b-4ad4-839d-55466a93b55d",
+ "id": "bundle--8e4ef8d1-0262-422c-99c5-70db1146338e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f",
"created": "2022-09-26T18:41:48.947Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T18:41:48.947Z",
+ "modified": "2025-04-16T23:01:12.863Z",
"description": "Monitor for firmware changes which may be observable via operational alarms from devices.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json b/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json
index 3cd21276d7..b946aa0cf4 100644
--- a/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json
+++ b/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6e18251f-efa7-4429-a69a-059ead58d668",
+ "id": "bundle--8537e417-573f-41e5-8835-d6bf32eec778",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:24:07.929Z",
+ "modified": "2025-04-16T23:01:13.098Z",
"description": "[Triton](https://attack.mitre.org/software/S1009)'s imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. (Citation: Jos Wetzels January 2018)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json b/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json
index f5da933fe4..a41742ef28 100644
--- a/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json
+++ b/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--67ec389f-fcdb-40ab-927f-4cf2312de4ac",
+ "id": "bundle--a9c3bb6e-2cb3-4c5b-b72a-7da3694697dd",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.071Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:13.314Z",
"description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a",
"target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--13d76624-7049-45c5-94d3-8f172b7f6336.json b/ics-attack/relationship/relationship--13d76624-7049-45c5-94d3-8f172b7f6336.json
index 4e8a26c0b5..dfdbc5700f 100644
--- a/ics-attack/relationship/relationship--13d76624-7049-45c5-94d3-8f172b7f6336.json
+++ b/ics-attack/relationship/relationship--13d76624-7049-45c5-94d3-8f172b7f6336.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7ca3ca39-6015-449c-b629-47cd1f280748",
+ "id": "bundle--85aed9b0-48a4-4c73-8c4a-fefcf591d337",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-27T15:18:18.595Z",
+ "modified": "2025-04-16T23:01:13.517Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) established an internal proxy prior to the installation of backdoors within the network. (Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json b/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json
index 2f23c84d93..16ba85f370 100644
--- a/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json
+++ b/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--95e04ec7-5f1b-4fa6-b047-077e6c2de3ce",
+ "id": "bundle--d8c7022c-0e4b-4e9a-b56f-5a081107b39e",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:38:23.604Z",
+ "modified": "2025-04-16T23:01:13.729Z",
"description": "Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json b/ics-attack/relationship/relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json
index a4ce114b9d..db6daf3588 100644
--- a/ics-attack/relationship/relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json
+++ b/ics-attack/relationship/relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e6d558b4-83ec-475e-939f-e4a3df6582e8",
+ "id": "bundle--6d83458c-ef45-4fa1-8db8-b97d9ea94eaa",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6",
"created": "2023-10-02T20:24:12.666Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:24:12.666Z",
+ "modified": "2025-04-16T23:01:13.959Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json b/ics-attack/relationship/relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json
index 13d251dbcb..eea5f22648 100644
--- a/ics-attack/relationship/relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json
+++ b/ics-attack/relationship/relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7a3c5709-8c70-4523-ab68-1d88d12eb471",
+ "id": "bundle--4301354a-d997-4baa-8186-5e83285e00c6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc",
"created": "2023-09-29T16:32:33.078Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:32:33.078Z",
+ "modified": "2025-04-16T23:01:14.173Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json b/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json
index 9a4c9217e3..d3541eb51b 100644
--- a/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json
+++ b/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--8afdcfa9-c1e7-4add-aba3-0a3e91dd31ee",
+ "id": "bundle--690e7ad0-41bd-4752-9af3-0f547708f4c3",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.204Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:14.383Z",
"description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495.json b/ics-attack/relationship/relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495.json
index c53de78002..8b12954370 100644
--- a/ics-attack/relationship/relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495.json
+++ b/ics-attack/relationship/relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--08be7511-40de-4ff0-a8b6-68bdda0ae0a4",
+ "id": "bundle--0b421a32-93a5-44bd-ba57-ad0b6b386a5e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495",
"created": "2023-09-29T16:40:06.079Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:40:06.079Z",
+ "modified": "2025-04-16T23:01:14.631Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json b/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json
index ae17a8edb6..d237c43622 100644
--- a/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json
+++ b/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--32d98038-4d29-4beb-b1ba-49f853152dee",
+ "id": "bundle--e35bb1a6-09c0-4646-a8ad-ca27256a8e0f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:37:54.914Z",
+ "modified": "2025-04-16T23:01:14.875Z",
"description": "Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host\u2019s GUI.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a.json b/ics-attack/relationship/relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a.json
index 24ed65febb..e8c01dd524 100644
--- a/ics-attack/relationship/relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a.json
+++ b/ics-attack/relationship/relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--845d1743-8086-4cf6-b33b-d8d404e5fe8e",
+ "id": "bundle--e2bf1a77-9328-41f4-847c-918aeb6e7549",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a",
"created": "2023-09-28T19:47:25.303Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:47:25.303Z",
+ "modified": "2025-04-16T23:01:15.092Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json b/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json
index 52bc446f64..a18162c14e 100644
--- a/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json
+++ b/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ffc39f61-028f-45d4-921d-ea1445bb7260",
+ "id": "bundle--f72be7f6-c1ad-4278-8dd8-db015008f6c5",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:48:49.308Z",
+ "modified": "2025-04-16T23:01:15.316Z",
"description": "Monitor ICS automation network protocols for information that an asset has been placed into Firmware Update Mode.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--159fb736-ba92-4564-aa6d-db6f64497763.json b/ics-attack/relationship/relationship--159fb736-ba92-4564-aa6d-db6f64497763.json
index 71f0c5a032..9db6f93da5 100644
--- a/ics-attack/relationship/relationship--159fb736-ba92-4564-aa6d-db6f64497763.json
+++ b/ics-attack/relationship/relationship--159fb736-ba92-4564-aa6d-db6f64497763.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f151c8cc-eb33-4948-82aa-c8c00064933e",
+ "id": "bundle--d14120ac-ab24-4112-a0ca-87adc0e5cffb",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--159fb736-ba92-4564-aa6d-db6f64497763",
"created": "2023-09-28T20:25:59.717Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:25:59.717Z",
+ "modified": "2025-04-16T23:01:15.566Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json b/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json
index 0737d9e08b..76047ef91b 100644
--- a/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json
+++ b/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--abaf6d43-25a0-48aa-a4f6-a4929fab34cb",
+ "id": "bundle--60a5ea78-33d2-4294-a6d0-c639bbd70664",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:30:27.289Z",
+ "modified": "2025-04-16T23:01:15.768Z",
"description": "Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1673b2e2-7799-4b5f-b5a9-2c51426a6916.json b/ics-attack/relationship/relationship--1673b2e2-7799-4b5f-b5a9-2c51426a6916.json
index 696e6c36b1..1082a20cce 100644
--- a/ics-attack/relationship/relationship--1673b2e2-7799-4b5f-b5a9-2c51426a6916.json
+++ b/ics-attack/relationship/relationship--1673b2e2-7799-4b5f-b5a9-2c51426a6916.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--07766a00-45f9-4e64-a8f6-669371fb095f",
+ "id": "bundle--2d62500a-45ed-4e80-9de8-d8051f66f97b",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-15T21:11:42.337Z",
+ "modified": "2025-04-16T23:01:15.976Z",
"description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) caused multiple businesses to halt operations due to the unavailability of the [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) and [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). These victims covered multiple sectors.(Citation: Jamie Tarabay and Katrina Manson December 2023)",
"relationship_type": "uses",
"source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de",
"target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json b/ics-attack/relationship/relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json
index 077b70e2f8..f210f33973 100644
--- a/ics-attack/relationship/relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json
+++ b/ics-attack/relationship/relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5217e736-4166-4fac-9bea-64634ebf61e0",
+ "id": "bundle--3f452b00-bd1c-4136-ac42-af94d70f83d3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b",
"created": "2023-09-28T20:06:03.889Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:06:03.889Z",
+ "modified": "2025-04-16T23:01:16.202Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json b/ics-attack/relationship/relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json
index 023acfa8ed..078635dde9 100644
--- a/ics-attack/relationship/relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json
+++ b/ics-attack/relationship/relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f14275bc-e04c-4547-bdaf-1980a08c63ad",
+ "id": "bundle--1fc38b08-ae5c-4672-9d51-0dd60577d193",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4",
"created": "2023-09-29T18:48:52.853Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:48:52.853Z",
+ "modified": "2025-04-16T23:01:16.427Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--16c7240e-0559-4c49-9003-1bfe97074252.json b/ics-attack/relationship/relationship--16c7240e-0559-4c49-9003-1bfe97074252.json
index 48e7dda871..ea378ba5fb 100644
--- a/ics-attack/relationship/relationship--16c7240e-0559-4c49-9003-1bfe97074252.json
+++ b/ics-attack/relationship/relationship--16c7240e-0559-4c49-9003-1bfe97074252.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4870ae5b-35ee-4505-b112-82425afa699b",
+ "id": "bundle--6cb21566-6106-460d-a564-4080bffde74d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--16c7240e-0559-4c49-9003-1bfe97074252",
"created": "2024-04-09T21:02:28.446Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T21:02:28.446Z",
+ "modified": "2025-04-16T23:01:16.647Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d.json b/ics-attack/relationship/relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d.json
index 048e84907b..afb3d10f0f 100644
--- a/ics-attack/relationship/relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d.json
+++ b/ics-attack/relationship/relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--345326c4-0f50-496a-a001-95f7e62e0df4",
+ "id": "bundle--d1ff8eb0-dce7-4e9c-96bb-b46e1e541ba8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d",
"created": "2023-03-30T18:57:58.377Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T18:57:58.377Z",
+ "modified": "2025-04-16T23:01:16.873Z",
"description": "[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data from local systems. The modules are named: infostealer 1, infostealer 2 and reconnaissance. (Citation: Symantec)",
"relationship_type": "uses",
"source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c",
"target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749.json b/ics-attack/relationship/relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749.json
index 55344f8313..a2df4e8554 100644
--- a/ics-attack/relationship/relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749.json
+++ b/ics-attack/relationship/relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ffe82f45-2d26-4409-abcf-357ac92fb6e4",
+ "id": "bundle--b456fd2f-efde-4e6f-805e-eb6dfd6baba0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749",
"created": "2023-09-29T17:05:30.498Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:05:30.498Z",
+ "modified": "2025-04-16T23:01:17.069Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json b/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json
index c3c6ae9cd4..78ac041dd6 100644
--- a/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json
+++ b/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--9d2f28ee-ff1f-42f1-867c-278213d8232c",
+ "id": "bundle--b2f00803-88d2-4a97-b764-26f6ee433166",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.128Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:17.318Z",
"description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433",
"target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa.json b/ics-attack/relationship/relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa.json
index 296a8bdb1e..38473e2c56 100644
--- a/ics-attack/relationship/relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa.json
+++ b/ics-attack/relationship/relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8cc63595-e7cb-4dcb-91f6-99cdceb5fb09",
+ "id": "bundle--46a1cf18-3467-4061-8e69-145caba6177f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa",
"created": "2023-10-02T20:18:01.546Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:18:01.546Z",
+ "modified": "2025-04-16T23:01:17.536Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json b/ics-attack/relationship/relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json
index 3997bb9987..6068cca385 100644
--- a/ics-attack/relationship/relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json
+++ b/ics-attack/relationship/relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6a00c8c9-d209-4aa7-a3c2-dfdbca1bfc5e",
+ "id": "bundle--0faac68c-bde3-4522-a745-fb1412601cc6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab",
"created": "2023-09-29T17:45:45.485Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:45:45.485Z",
+ "modified": "2025-04-16T23:01:17.759Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json b/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json
index 65ed4a6c40..e647fc6d96 100644
--- a/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json
+++ b/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--72703bf5-8e2a-496f-b1fe-a32acf01bd88",
+ "id": "bundle--23e79b2d-c855-4aa3-9da2-7501521f6c04",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:26:48.171Z",
+ "modified": "2025-04-16T23:01:17.963Z",
"description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1865830b-511d-4302-99f7-6143647a8e40.json b/ics-attack/relationship/relationship--1865830b-511d-4302-99f7-6143647a8e40.json
index 42349934c5..eda3d50e7f 100644
--- a/ics-attack/relationship/relationship--1865830b-511d-4302-99f7-6143647a8e40.json
+++ b/ics-attack/relationship/relationship--1865830b-511d-4302-99f7-6143647a8e40.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--43978929-b200-4e1c-9b58-65ccb336559b",
+ "id": "bundle--eac3237a-972f-4ab4-8dcc-4736003f0298",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1865830b-511d-4302-99f7-6143647a8e40",
"created": "2023-10-02T20:23:52.339Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:23:52.339Z",
+ "modified": "2025-04-16T23:01:18.192Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--18ab56e8-79ce-481d-9ab4-e558fbfb5ac5.json b/ics-attack/relationship/relationship--18ab56e8-79ce-481d-9ab4-e558fbfb5ac5.json
index 261f8b886b..f7b41bbcf6 100644
--- a/ics-attack/relationship/relationship--18ab56e8-79ce-481d-9ab4-e558fbfb5ac5.json
+++ b/ics-attack/relationship/relationship--18ab56e8-79ce-481d-9ab4-e558fbfb5ac5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4e483da7-7ac8-4f0a-9ccf-fc72ac8030ca",
+ "id": "bundle--92500e45-cf79-4e8a-b213-999a360897d6",
"spec_version": "2.0",
"objects": [
{
@@ -39,15 +39,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-15T21:11:59.782Z",
+ "modified": "2025-04-16T23:01:18.419Z",
"description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) defaced controllers\u2019 [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002), which prevented multiple entities from being able to operate their devices normally.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: CISA Unitronics November 2023)(Citation: Jamie Tarabay and Katrina Manson December 2023)(Citation: Frank Bajak and Marc Levy December 2023) Additionally, the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) caused a communications failure in a remote pumping station.(Citation: WPXI Aliquippa Water November 2023)",
"relationship_type": "uses",
"source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de",
"target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--18af193c-160a-4cae-9078-4d69de5c2347.json b/ics-attack/relationship/relationship--18af193c-160a-4cae-9078-4d69de5c2347.json
index 7d7742b11f..8bb0ed930d 100644
--- a/ics-attack/relationship/relationship--18af193c-160a-4cae-9078-4d69de5c2347.json
+++ b/ics-attack/relationship/relationship--18af193c-160a-4cae-9078-4d69de5c2347.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c37ef9e8-565d-4ba6-a697-d11005987334",
+ "id": "bundle--3a1c3637-6f96-4ff1-a219-2499dd34a43c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--18af193c-160a-4cae-9078-4d69de5c2347",
"created": "2023-09-29T18:56:21.340Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:56:21.340Z",
+ "modified": "2025-04-16T23:01:18.630Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75.json b/ics-attack/relationship/relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75.json
index 1f47fdb13c..d1b196a5b3 100644
--- a/ics-attack/relationship/relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75.json
+++ b/ics-attack/relationship/relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0305f9f0-2878-4b88-9867-d6d495f67c2d",
+ "id": "bundle--6add3f87-fbc9-4c09-bb64-d82163200998",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75",
"created": "2023-09-29T18:02:01.822Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:02:01.822Z",
+ "modified": "2025-04-16T23:01:18.861Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json b/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json
index 37ce801482..a946354855 100644
--- a/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json
+++ b/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--b255b46b-7c71-4800-a3ba-231c42a0bf07",
+ "id": "bundle--a6076727-7b17-4d25-a0d9-09e1790484ac",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--18ef2d69-d11a-4d31-a803-da989c4073f7",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.096Z",
- "relationship_type": "mitigates",
- "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n",
- "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
- "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "National Institute of Standards and Technology April 2013",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:19.081Z",
+ "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
+ "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json b/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json
index 5e5f306b3b..a142226926 100644
--- a/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json
+++ b/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--055f12fe-a536-4f49-b3be-2a7317789183",
+ "id": "bundle--aeea8870-7e23-42c8-afa7-76ed6c7bf062",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:30:40.378Z",
+ "modified": "2025-04-16T23:01:19.315Z",
"description": "Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json b/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json
index 1b528b3305..a54c275125 100644
--- a/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json
+++ b/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--a4eee12d-74ab-4ace-a22d-49aa2cf6cb9e",
+ "id": "bundle--99066a72-7813-47b8-b772-d6fc819c4b2c",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--19ab6776-42de-48af-975a-568d31a3bb66",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.152Z",
- "relationship_type": "mitigates",
- "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016) (Citation: N/A)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -28,9 +20,16 @@
"url": "https://www.exida.com/images/uploads/18492275-Alarm-Management-for-Process-Control.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:19.534Z",
+ "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016) (Citation: N/A)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json b/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json
index c631289558..050e166e34 100644
--- a/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json
+++ b/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b92ae396-7e46-4579-b3ec-f5800414b171",
+ "id": "bundle--9ca11e43-660c-4940-9e6e-82b15df30808",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T15:17:21.181Z",
+ "modified": "2025-04-16T23:01:19.765Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can send custom Modbus commands to write register values on Schneider PLCs.(Citation: CISA-AA22-103A) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can send write tag values on OPC UA servers.(Citation: CISA-AA22-103A) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c.json b/ics-attack/relationship/relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c.json
index c785c120e4..06ab902043 100644
--- a/ics-attack/relationship/relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c.json
+++ b/ics-attack/relationship/relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--acb1c1a7-8f86-4ec4-8ab5-e8b58caca853",
+ "id": "bundle--44331e5c-796c-472f-a21b-c85e1d9aed9c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c",
"created": "2023-09-28T20:11:23.956Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:11:23.956Z",
+ "modified": "2025-04-16T23:01:19.981Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826.json b/ics-attack/relationship/relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826.json
index 1cccb4319d..3e9cc79b90 100644
--- a/ics-attack/relationship/relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826.json
+++ b/ics-attack/relationship/relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--70dec049-1d59-490c-afe1-c94b0d1d7dc5",
+ "id": "bundle--6ce8ad4d-bd0f-4da8-bf13-05dbcd88ec14",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826",
"created": "2023-09-28T21:13:49.529Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:13:49.529Z",
+ "modified": "2025-04-16T23:01:20.204Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0.json b/ics-attack/relationship/relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0.json
index 6669c62ffe..a7f9a4afcf 100644
--- a/ics-attack/relationship/relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0.json
+++ b/ics-attack/relationship/relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--fcce3508-793e-440b-b211-96f23af329b0",
+ "id": "bundle--22edd38c-8208-4ef4-9a6e-766377e41668",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0",
"created": "2023-10-02T20:18:45.122Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:18:45.122Z",
+ "modified": "2025-04-16T23:01:20.422Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json b/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json
index bf70a60092..3dd87ca2a0 100644
--- a/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json
+++ b/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--515de971-fe62-407a-a9f7-8ea20c78d933",
+ "id": "bundle--110c25c8-0f48-4796-9bcc-d3f951bcc42a",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.106Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:20.632Z",
"description": "Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1a900ac4-c150-4b57-a899-990854b01d4b.json b/ics-attack/relationship/relationship--1a900ac4-c150-4b57-a899-990854b01d4b.json
index 11832368a2..0ace7dfc19 100644
--- a/ics-attack/relationship/relationship--1a900ac4-c150-4b57-a899-990854b01d4b.json
+++ b/ics-attack/relationship/relationship--1a900ac4-c150-4b57-a899-990854b01d4b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a76a2ef0-ba87-4598-a009-c3fe58d81bba",
+ "id": "bundle--bdf4f550-372f-46cb-84ad-2d44f5215886",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1a900ac4-c150-4b57-a899-990854b01d4b",
"created": "2023-09-29T16:33:50.423Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:33:50.423Z",
+ "modified": "2025-04-16T23:01:20.874Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json b/ics-attack/relationship/relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json
index 412b560886..c6c2e0788f 100644
--- a/ics-attack/relationship/relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json
+++ b/ics-attack/relationship/relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f65cad3d-844b-47e5-9f76-6f888a474a15",
+ "id": "bundle--58f1b342-886e-43ee-8c9b-6eb11db3dcc0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356",
"created": "2023-09-29T18:57:45.950Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:57:45.950Z",
+ "modified": "2025-04-16T23:01:21.089Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
"target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d.json b/ics-attack/relationship/relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d.json
index d722a7c865..b973c1c25d 100644
--- a/ics-attack/relationship/relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d.json
+++ b/ics-attack/relationship/relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ac447b6f-c199-405e-8bee-3fb4f88621d9",
+ "id": "bundle--c98c0b34-faf0-43fc-92ad-f4ff96c6525c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d",
"created": "2023-09-28T20:09:21.736Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:09:21.736Z",
+ "modified": "2025-04-16T23:01:21.309Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json b/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json
index 0dacf13539..87f920ffd5 100644
--- a/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json
+++ b/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--9698be30-3c75-4e01-a80b-adc3d05b5f98",
+ "id": "bundle--d839f46c-0932-48a7-8af0-438180991532",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--1aa02c37-973e-46bd-ab45-609463e514e9",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--1aa02c37-973e-46bd-ab45-609463e514e9",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.228Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:21.511Z",
"description": "If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1acc3a43-2961-4e4c-a237-f426a2df6be5.json b/ics-attack/relationship/relationship--1acc3a43-2961-4e4c-a237-f426a2df6be5.json
index f5bfb9f03d..5854a79dbd 100644
--- a/ics-attack/relationship/relationship--1acc3a43-2961-4e4c-a237-f426a2df6be5.json
+++ b/ics-attack/relationship/relationship--1acc3a43-2961-4e4c-a237-f426a2df6be5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f21361b7-6656-476a-84a5-c8e32cac3dc3",
+ "id": "bundle--a42d86a5-0d3f-4fcb-abb8-652f202acb37",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-15T21:12:20.534Z",
+ "modified": "2025-04-16T23:01:21.720Z",
"description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) discovered and exploited default credentials found on many Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). For many of these devices, the default password was set to \u20181111\u2019.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: CISA Unitronics November 2023)",
"relationship_type": "uses",
"source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de",
"target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json b/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json
index 77bb78143c..cd3812bd32 100644
--- a/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json
+++ b/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--73a19527-77cc-44a2-acdc-706ac6a882a4",
+ "id": "bundle--0ebca58e-5625-4339-89ba-defde691778b",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:42:43.105Z",
+ "modified": "2025-04-16T23:01:21.946Z",
"description": "Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json b/ics-attack/relationship/relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json
index 5a473b0140..bbc4637880 100644
--- a/ics-attack/relationship/relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json
+++ b/ics-attack/relationship/relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--82e6f5a8-8926-4bf3-913d-5956aae97a02",
+ "id": "bundle--628ced5c-e3c5-48a3-8881-53ff9845950c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185",
"created": "2023-09-29T18:01:06.725Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:01:06.725Z",
+ "modified": "2025-04-16T23:01:22.157Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d.json b/ics-attack/relationship/relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d.json
index 936bb246a5..a345b732c9 100644
--- a/ics-attack/relationship/relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d.json
+++ b/ics-attack/relationship/relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--88b393f0-0a99-454b-9c25-c33253878c34",
+ "id": "bundle--c539f6eb-93f2-42c6-8669-a384bae36627",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d",
"created": "2024-09-11T22:51:15.202Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-09-11T22:51:15.202Z",
+ "modified": "2025-04-16T23:01:22.366Z",
"description": "[Fuxnet](https://attack.mitre.org/software/S1157) execution relied upon accessing Internet-accessible devices for initial access and deployment.(Citation: Claroty Fuxnet 2024)",
"relationship_type": "uses",
"source_ref": "malware--931e2489-8078-4f9f-85b2-a9211950e75b",
"target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5.json b/ics-attack/relationship/relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5.json
index d1573511ec..dc0b8ffca9 100644
--- a/ics-attack/relationship/relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5.json
+++ b/ics-attack/relationship/relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--045c3917-d20d-4481-a68d-916aa5d53a05",
+ "id": "bundle--6bb85c87-76e8-417e-8574-6a5387ce3d4e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5",
"created": "2023-09-29T17:43:41.332Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:43:41.332Z",
+ "modified": "2025-04-16T23:01:22.572Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b.json b/ics-attack/relationship/relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b.json
index 6fe0e3c29a..a58eff530b 100644
--- a/ics-attack/relationship/relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b.json
+++ b/ics-attack/relationship/relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f97c3cc2-928b-4fdb-939f-c7204e4d4925",
+ "id": "bundle--c94003c5-f597-45e3-b0bc-99d4f2d07863",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b",
"created": "2023-09-29T16:41:44.745Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:41:44.745Z",
+ "modified": "2025-04-16T23:01:22.779Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json b/ics-attack/relationship/relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json
index dc81ec9d58..90e4125d38 100644
--- a/ics-attack/relationship/relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json
+++ b/ics-attack/relationship/relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1086aadc-47e3-4740-9063-37e15bd7dcd1",
+ "id": "bundle--9db8975c-69a6-42a3-907e-d8dd3bc25697",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738",
"created": "2023-09-29T18:00:32.581Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:00:32.581Z",
+ "modified": "2025-04-16T23:01:22.979Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0.json b/ics-attack/relationship/relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0.json
index 4e9c701f2d..be8017e2f8 100644
--- a/ics-attack/relationship/relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0.json
+++ b/ics-attack/relationship/relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6ce551c7-65a6-40cc-babf-ab9444ca83e6",
+ "id": "bundle--e22c9b2a-56b1-4184-9f37-6da5da75298a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:11:33.323Z",
+ "modified": "2025-04-16T23:01:23.181Z",
"description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
"target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json b/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json
index caf0ea4a8e..08d42e9049 100644
--- a/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json
+++ b/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e3f34f6e-adb1-416e-bc22-ad4caed72f74",
+ "id": "bundle--bb818189-7bf5-4dab-8e23-e32e60b58b10",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:37:12.017Z",
+ "modified": "2025-04-16T23:01:23.423Z",
"description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1c7df4f1-cee5-42c6-a974-29552552666f.json b/ics-attack/relationship/relationship--1c7df4f1-cee5-42c6-a974-29552552666f.json
index 31338cbb7e..4e1c4857b1 100644
--- a/ics-attack/relationship/relationship--1c7df4f1-cee5-42c6-a974-29552552666f.json
+++ b/ics-attack/relationship/relationship--1c7df4f1-cee5-42c6-a974-29552552666f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a84a559b-e220-4788-bcf4-851d077e46e4",
+ "id": "bundle--d6831385-8303-415f-820f-1001debf23d7",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1c7df4f1-cee5-42c6-a974-29552552666f",
"created": "2023-09-28T19:47:08.952Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:47:08.952Z",
+ "modified": "2025-04-16T23:01:23.628Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json b/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json
index bbf6266972..750b6fca07 100644
--- a/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json
+++ b/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6deb3864-610f-483e-876d-60fa0e24e61c",
+ "id": "bundle--2552bbdf-a245-40c6-8f5b-7ed9df2deafa",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-29T20:10:57.573Z",
+ "modified": "2025-04-16T23:01:23.875Z",
"description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)\n\n[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json b/ics-attack/relationship/relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json
index 88b39c74aa..9c997f7767 100644
--- a/ics-attack/relationship/relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json
+++ b/ics-attack/relationship/relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f9e8da3f-f503-41b6-856c-7f0c4ac2d449",
+ "id": "bundle--2577fc88-f46d-43f7-acbb-42248f300528",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081",
"created": "2023-09-29T18:46:12.052Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:46:12.052Z",
+ "modified": "2025-04-16T23:01:24.077Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json b/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json
index 867c12d806..eb34f340c9 100644
--- a/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json
+++ b/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f162146b-27e1-46b0-ae58-45e91d58ce9b",
+ "id": "bundle--54e26130-6b58-425b-9732-93a9ff2d2065",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-29T20:19:47.429Z",
+ "modified": "2025-04-16T23:01:24.315Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) enumerates and parses the System Data Blocks (SDB) using the s7blk_findfirst and s7blk_findnext API calls in s7otbxdx.dll. Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)\n\n[Stuxnet](https://attack.mitre.org/software/S0603) was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1d399f67-090e-444b-b75d-eed4b1780f08.json b/ics-attack/relationship/relationship--1d399f67-090e-444b-b75d-eed4b1780f08.json
index 4a5b5683e4..f4dd08f2a2 100644
--- a/ics-attack/relationship/relationship--1d399f67-090e-444b-b75d-eed4b1780f08.json
+++ b/ics-attack/relationship/relationship--1d399f67-090e-444b-b75d-eed4b1780f08.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e48d5b93-5838-45cb-a710-977bd31570a4",
+ "id": "bundle--ad0c6e9b-1fcf-4abe-8487-4bfb701cfa90",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1d399f67-090e-444b-b75d-eed4b1780f08",
"created": "2022-09-26T18:42:16.844Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T18:42:16.844Z",
+ "modified": "2025-04-16T23:01:24.532Z",
"description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json b/ics-attack/relationship/relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json
index 2e026a4f9f..06108c977e 100644
--- a/ics-attack/relationship/relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json
+++ b/ics-attack/relationship/relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--462d5bab-642a-42cc-86ed-0d9e095aaf82",
+ "id": "bundle--07bfb393-d1a7-4d50-9aff-c0045dacab09",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653",
"created": "2023-09-29T17:40:22.705Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:40:22.705Z",
+ "modified": "2025-04-16T23:01:24.766Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json b/ics-attack/relationship/relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json
index 6092e9da2b..2768d00969 100644
--- a/ics-attack/relationship/relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json
+++ b/ics-attack/relationship/relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--180c8f35-b237-4454-9de4-042381bd9678",
+ "id": "bundle--f3f8a3b3-f511-42ad-aaf6-e84f201c45c2",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-27T13:25:35.597Z",
+ "modified": "2025-04-16T22:00:48.950Z",
"description": "(Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json b/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json
index 67b6efd3cf..d24422c263 100644
--- a/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json
+++ b/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--73d5eb75-93cd-4188-8006-f6204311432e",
+ "id": "bundle--9616844f-3eb6-4c04-b793-acb71885e851",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:46:56.223Z",
+ "modified": "2025-04-16T23:01:25.078Z",
"description": "[EKANS](https://attack.mitre.org/software/S0605) performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. (Citation: Ben Hunter and Fred Gutierrez July 2020)",
"relationship_type": "uses",
"source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5",
"target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1e6da55a-ab6c-4583-9e20-583f82096497.json b/ics-attack/relationship/relationship--1e6da55a-ab6c-4583-9e20-583f82096497.json
index e94564ff73..76d011c09a 100644
--- a/ics-attack/relationship/relationship--1e6da55a-ab6c-4583-9e20-583f82096497.json
+++ b/ics-attack/relationship/relationship--1e6da55a-ab6c-4583-9e20-583f82096497.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4e483e3c-c1a0-456a-8fe5-68e2b358cd72",
+ "id": "bundle--5a3424fa-f62b-45f9-9985-4b7b1fbf02b5",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:49:58.047Z",
+ "modified": "2025-04-16T23:01:25.317Z",
"description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042.json b/ics-attack/relationship/relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042.json
index 1f1b9467fb..60df70f7fc 100644
--- a/ics-attack/relationship/relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042.json
+++ b/ics-attack/relationship/relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6ed66db3-3119-4401-8818-a81fd0bb8622",
+ "id": "bundle--8f65651f-510b-486c-88e0-0dc5ffbf567f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T18:46:37.894Z",
+ "modified": "2025-04-16T23:01:25.536Z",
"description": "Analyze network data for uncommon data flows (e.g., new protocols in use between hosts, unexpected ports in use). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e.json b/ics-attack/relationship/relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e.json
index 802b89f950..135105da61 100644
--- a/ics-attack/relationship/relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e.json
+++ b/ics-attack/relationship/relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--08337d9b-0ba9-4821-9859-399fdc7322c4",
+ "id": "bundle--1e803a1a-7252-423b-8c72-3976e4bcd555",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e",
"created": "2023-09-28T21:12:25.345Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:12:25.345Z",
+ "modified": "2025-04-16T23:01:25.760Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json b/ics-attack/relationship/relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json
index e83729cf25..41cf92c5e6 100644
--- a/ics-attack/relationship/relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json
+++ b/ics-attack/relationship/relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--209a8df0-ee0b-41f5-8342-6b617f611e14",
+ "id": "bundle--d65dfb61-098a-49c0-9147-57b8441b2832",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:56:06.055Z",
+ "modified": "2025-04-16T23:01:25.966Z",
"description": "Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json b/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json
index 0f9078064d..6c70ed4e81 100644
--- a/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json
+++ b/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e1634768-9dec-47fd-a659-4aa300d6c80e",
+ "id": "bundle--a49152c8-a371-401f-94e4-96ddd88f72c6",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.433Z",
+ "modified": "2025-04-16T23:01:26.160Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.(Citation: Wylie-22) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc.json b/ics-attack/relationship/relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc.json
index 18ee31762d..b3ebafdff1 100644
--- a/ics-attack/relationship/relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc.json
+++ b/ics-attack/relationship/relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b6457d4c-3363-4eb9-974f-cf8038e0a4e1",
+ "id": "bundle--534e6b68-c581-44d3-ad67-e016233b3adf",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:34:32.554Z",
+ "modified": "2025-04-16T23:01:26.376Z",
"description": "Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json b/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json
index 89a52ec767..b3f1dd662d 100644
--- a/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json
+++ b/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--546529a3-aadb-4b15-8b2e-646bd64df8bd",
+ "id": "bundle--72a6c8b1-71ab-41ea-bfef-9619029c25ff",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--1f87378c-49fb-4da5-8ed3-3672633d3713",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--1f87378c-49fb-4da5-8ed3-3672633d3713",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.123Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:26.589Z",
"description": "Regularly scan the internal network for available services to identify new and potentially vulnerable services.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037",
"target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json b/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json
index d1dff2e372..bff6912b30 100644
--- a/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json
+++ b/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9a77885b-1b01-4c6d-b9e3-2ff6d9eff2e5",
+ "id": "bundle--9f3925b7-b721-410c-b774-923c4f7c34d1",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:24:19.351Z",
+ "modified": "2025-04-16T23:01:26.813Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. (Citation: Jos Wetzels January 2018)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json b/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json
index 7199ad6d8d..937c0fcb68 100644
--- a/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json
+++ b/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--1360320e-fafa-47e9-aab4-c6ba66c4a3ff",
+ "id": "bundle--37ce47fb-6b7b-4eca-90c8-64f56fd41204",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.235Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:27.009Z",
"description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Implement user accounts for each individual for enforcement and non-repudiation of actions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8.json b/ics-attack/relationship/relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8.json
index c75fda47e3..0b89e4b5d7 100644
--- a/ics-attack/relationship/relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8.json
+++ b/ics-attack/relationship/relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5d7d9152-c07a-4d91-9662-ee0f57ab5af1",
+ "id": "bundle--85a7993a-5ac7-41d6-ac80-ce85475735db",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8",
"created": "2023-09-29T17:09:59.595Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:09:59.595Z",
+ "modified": "2025-04-16T23:01:27.268Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json b/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json
index ba127cbf29..088c690355 100644
--- a/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json
+++ b/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5b9cea26-c463-4b1b-9c2d-87c87884ceac",
+ "id": "bundle--666e18a8-8325-4011-8017-b040d9fa7586",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:03:36.379Z",
+ "modified": "2025-04-16T23:01:27.469Z",
"description": "[REvil](https://attack.mitre.org/software/S0496) initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. (Citation: Tom Fakterman August 2019)",
"relationship_type": "uses",
"source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json b/ics-attack/relationship/relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json
index ed5b1e53de..e1cebda1b3 100644
--- a/ics-attack/relationship/relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json
+++ b/ics-attack/relationship/relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--91ac1717-5367-453b-87ec-cb7a5d881599",
+ "id": "bundle--6088480e-9de5-470a-98b4-0d326ae54348",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3",
"created": "2023-09-28T19:54:37.802Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:54:37.802Z",
+ "modified": "2025-04-16T23:01:27.677Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json b/ics-attack/relationship/relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json
index 3658dd42be..136040ff00 100644
--- a/ics-attack/relationship/relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json
+++ b/ics-attack/relationship/relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bacfd9f2-48a1-484f-9f4a-512d54f32c32",
+ "id": "bundle--22f525d4-4b5b-407b-9540-eaea4bb26d6c",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:34:31.627Z",
+ "modified": "2025-04-16T23:01:27.884Z",
"description": "Consult asset management systems which may help with the detection of computer systems or network devices that should not exist on a network.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706",
"target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2057ec71-a94f-49cc-b348-2eeb44899afd.json b/ics-attack/relationship/relationship--2057ec71-a94f-49cc-b348-2eeb44899afd.json
index a04798e275..b48bf085cf 100644
--- a/ics-attack/relationship/relationship--2057ec71-a94f-49cc-b348-2eeb44899afd.json
+++ b/ics-attack/relationship/relationship--2057ec71-a94f-49cc-b348-2eeb44899afd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--162a98e7-0bb9-4c03-98db-242e911fa326",
+ "id": "bundle--5b7072db-b442-40d3-aa3b-85b77de3c8e6",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T18:40:20.312Z",
+ "modified": "2025-04-16T23:01:28.124Z",
"description": "Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\\Windows\\System32). ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
"target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json b/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json
index df8704ef15..84296947ac 100644
--- a/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json
+++ b/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--a2e2493d-cb53-4ddd-89ab-4804cebc10e8",
+ "id": "bundle--82684c92-682e-4a9b-95e2-8252ac79fd36",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--206cc4c8-797e-427b-86f1-4c81df391c6e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.224Z",
- "relationship_type": "mitigates",
- "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Karen Scarfone; Paul Hoffman September 2009",
@@ -38,9 +30,16 @@
"url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:28.376Z",
+ "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b.json b/ics-attack/relationship/relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b.json
index 6a91dbccb0..b2b1ef6854 100644
--- a/ics-attack/relationship/relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b.json
+++ b/ics-attack/relationship/relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--21b1e471-4cdc-4cf5-a7b2-1c756f174861",
+ "id": "bundle--73fc45b9-b992-4e0e-8695-75f0db2ca6b7",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-06T22:09:28.674Z",
+ "modified": "2025-04-16T23:01:28.574Z",
"description": "[Industroyer2](https://attack.mitre.org/software/S1072) can iterate across a device\u2019s IOAs to modify the ON/OFF value of a given IO state.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)",
"relationship_type": "uses",
"source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
"target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json b/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json
index 35053db575..d9fd3345e6 100644
--- a/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json
+++ b/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--a9412b4d-1135-4b7a-a595-d89414603ad1",
+ "id": "bundle--91d93da8-b194-45f9-9e8e-2323016c6835",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.094Z",
- "relationship_type": "mitigates",
- "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n",
- "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
- "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "National Institute of Standards and Technology April 2013",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:28.816Z",
+ "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
+ "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--208fe57b-cf2e-4188-8a6f-77597cd60351.json b/ics-attack/relationship/relationship--208fe57b-cf2e-4188-8a6f-77597cd60351.json
index df9962956e..d79c249a78 100644
--- a/ics-attack/relationship/relationship--208fe57b-cf2e-4188-8a6f-77597cd60351.json
+++ b/ics-attack/relationship/relationship--208fe57b-cf2e-4188-8a6f-77597cd60351.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0ad870ed-b513-4482-89f3-83f96485a693",
+ "id": "bundle--120b6441-5bd8-41ba-868f-e53383d3bb99",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--208fe57b-cf2e-4188-8a6f-77597cd60351",
"created": "2023-09-29T17:44:43.317Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:44:43.317Z",
+ "modified": "2025-04-16T23:01:29.056Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json b/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json
index dd0d821106..07b08e20a8 100644
--- a/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json
+++ b/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--6b6cbec0-3e56-470a-ac08-c35d73221678",
+ "id": "bundle--afcd30dd-f083-4aae-b2fe-13248faef0eb",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.084Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:29.277Z",
"description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c",
"target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json b/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json
index f2a50afb9e..5230b8eeae 100644
--- a/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json
+++ b/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--25837919-fd9c-4e13-8a2e-597c545d80cc",
+ "id": "bundle--174f36e3-66a2-4fab-9f97-3300dcd99317",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:00:13.772Z",
+ "modified": "2025-04-16T23:01:29.490Z",
"description": "[PLC-Blaster](https://attack.mitre.org/software/S1006)'s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)",
"relationship_type": "uses",
"source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe",
"target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json b/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json
index ca12dfdf75..902085dd8b 100644
--- a/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json
+++ b/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c8456ebc-cfca-495a-905a-8a42dd7e8f33",
+ "id": "bundle--3b491f01-8adc-42f6-840c-14ec8893517a",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:00:27.700Z",
+ "modified": "2025-04-16T23:01:29.718Z",
"description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)",
"relationship_type": "uses",
"source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe",
"target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--21058f32-3d6e-4381-9288-5c2248e84cce.json b/ics-attack/relationship/relationship--21058f32-3d6e-4381-9288-5c2248e84cce.json
index ff6abe119e..6bec2793f4 100644
--- a/ics-attack/relationship/relationship--21058f32-3d6e-4381-9288-5c2248e84cce.json
+++ b/ics-attack/relationship/relationship--21058f32-3d6e-4381-9288-5c2248e84cce.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4b11a57f-a74f-4fce-8312-ced2f7a7073f",
+ "id": "bundle--b678d565-889a-4a7f-9e3a-90f502176daa",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--21058f32-3d6e-4381-9288-5c2248e84cce",
"created": "2023-09-29T18:44:27.240Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:44:27.240Z",
+ "modified": "2025-04-16T23:01:29.950Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--21134484-2d59-46b7-b878-527121fff1e3.json b/ics-attack/relationship/relationship--21134484-2d59-46b7-b878-527121fff1e3.json
index c0accea28e..00872bad77 100644
--- a/ics-attack/relationship/relationship--21134484-2d59-46b7-b878-527121fff1e3.json
+++ b/ics-attack/relationship/relationship--21134484-2d59-46b7-b878-527121fff1e3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--42a93301-9f84-405a-9e55-065a33236bd7",
+ "id": "bundle--c7b06550-bb68-49f1-87be-73ec8bde49de",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--21134484-2d59-46b7-b878-527121fff1e3",
"created": "2022-09-26T14:28:17.209Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:28:17.209Z",
+ "modified": "2025-04-16T23:01:30.175Z",
"description": "Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4.json b/ics-attack/relationship/relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4.json
index 634946b53f..b086418335 100644
--- a/ics-attack/relationship/relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4.json
+++ b/ics-attack/relationship/relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9a219fa4-7c12-4d73-9c79-570ce794c86a",
+ "id": "bundle--8e2dbdd5-29c8-439f-b3fd-203bb8519d8c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4",
"created": "2023-09-28T19:44:53.873Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:44:53.873Z",
+ "modified": "2025-04-16T23:01:30.435Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--21470001-67f2-47cf-af21-784e5024ac1d.json b/ics-attack/relationship/relationship--21470001-67f2-47cf-af21-784e5024ac1d.json
index 2e66878576..0612104fd4 100644
--- a/ics-attack/relationship/relationship--21470001-67f2-47cf-af21-784e5024ac1d.json
+++ b/ics-attack/relationship/relationship--21470001-67f2-47cf-af21-784e5024ac1d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--69f35f3c-354f-4228-866c-c8e9290473f8",
+ "id": "bundle--06e91ac1-b722-4b15-8bbb-095800f2b7bd",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--21470001-67f2-47cf-af21-784e5024ac1d",
"created": "2023-09-29T18:01:22.023Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:01:22.023Z",
+ "modified": "2025-04-16T23:01:30.632Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--214eb531-411c-4b90-9dbf-dc0183cbb919.json b/ics-attack/relationship/relationship--214eb531-411c-4b90-9dbf-dc0183cbb919.json
index 8ff2ff2ceb..bc57734dae 100644
--- a/ics-attack/relationship/relationship--214eb531-411c-4b90-9dbf-dc0183cbb919.json
+++ b/ics-attack/relationship/relationship--214eb531-411c-4b90-9dbf-dc0183cbb919.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8cb24be8-6180-4401-a219-263469bcf06b",
+ "id": "bundle--579a2cfc-2114-4f6b-9555-00a91307f4a5",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:34:19.403Z",
+ "modified": "2025-04-16T23:01:30.857Z",
"description": "Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2159458f-87fc-4479-81f4-a2521a378221.json b/ics-attack/relationship/relationship--2159458f-87fc-4479-81f4-a2521a378221.json
index c05347c9a7..18341d63d9 100644
--- a/ics-attack/relationship/relationship--2159458f-87fc-4479-81f4-a2521a378221.json
+++ b/ics-attack/relationship/relationship--2159458f-87fc-4479-81f4-a2521a378221.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3b407c34-c4dc-4c5f-a6c8-00f57be52ed4",
+ "id": "bundle--a3b9ae5c-a9c9-49b8-9690-0e8384a11cda",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2159458f-87fc-4479-81f4-a2521a378221",
"created": "2023-09-28T21:22:09.790Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:22:09.790Z",
+ "modified": "2025-04-16T23:01:31.056Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--21aa6331-3419-4049-b180-8349b71e1f2a.json b/ics-attack/relationship/relationship--21aa6331-3419-4049-b180-8349b71e1f2a.json
index d4afc0b723..3dc660fd99 100644
--- a/ics-attack/relationship/relationship--21aa6331-3419-4049-b180-8349b71e1f2a.json
+++ b/ics-attack/relationship/relationship--21aa6331-3419-4049-b180-8349b71e1f2a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0abb530a-c8ad-43ac-a513-023909148703",
+ "id": "bundle--3d179438-8b7c-499d-b34b-620ed505b663",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--21aa6331-3419-4049-b180-8349b71e1f2a",
"created": "2023-09-28T21:11:03.947Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:11:03.947Z",
+ "modified": "2025-04-16T23:01:31.273Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json b/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json
index 13941e2131..e303bf038d 100644
--- a/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json
+++ b/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--0e2ddd8a-b2e4-4e5e-91f6-bf88280a3bd1",
+ "id": "bundle--b41e9b95-af95-4ef5-87bc-5fcc7934ffad",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.089Z",
- "relationship_type": "mitigates",
- "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to impact data storage. (Citation: National Institute of Standards and Technology April 2013)\n",
- "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
- "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "National Institute of Standards and Technology April 2013",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:31.501Z",
+ "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to impact data storage. (Citation: National Institute of Standards and Technology April 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
+ "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json b/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json
index d4d90e311a..a6d669e293 100644
--- a/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json
+++ b/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--78bc6b62-9d11-4c58-aa11-3624009d2d41",
+ "id": "bundle--27166219-957e-4b4d-9e05-562df0f11e71",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--220140ac-d927-4d86-9335-c04aa6ee3c61",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.126Z",
- "relationship_type": "mitigates",
- "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. (Citation: Keith Stouffer May 2015)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Keith Stouffer May 2015",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:31.723Z",
+ "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. (Citation: Keith Stouffer May 2015)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json b/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json
index a0bf6d1bf5..05f5717abf 100644
--- a/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json
+++ b/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c32b8a18-2789-4c85-a5b0-4b67a6fd31a2",
+ "id": "bundle--3c549b0e-d1c9-4399-a45d-3983bb7c43d1",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:26:11.066Z",
+ "modified": "2025-04-16T23:01:31.938Z",
"description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--22548926-29b4-4882-9878-633375489c0e.json b/ics-attack/relationship/relationship--22548926-29b4-4882-9878-633375489c0e.json
index 6e6bef2806..42b7c0fda8 100644
--- a/ics-attack/relationship/relationship--22548926-29b4-4882-9878-633375489c0e.json
+++ b/ics-attack/relationship/relationship--22548926-29b4-4882-9878-633375489c0e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--70119842-2bc2-4510-8fb9-889d2cb1ca9e",
+ "id": "bundle--9ad3f133-1bcb-45d5-8857-af96c89883f2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--22548926-29b4-4882-9878-633375489c0e",
"created": "2023-09-28T20:30:50.842Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:30:50.842Z",
+ "modified": "2025-04-16T23:01:32.138Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2289f005-7863-4af5-b681-cdfc03d3f111.json b/ics-attack/relationship/relationship--2289f005-7863-4af5-b681-cdfc03d3f111.json
index 2f2ae766db..902125d0d3 100644
--- a/ics-attack/relationship/relationship--2289f005-7863-4af5-b681-cdfc03d3f111.json
+++ b/ics-attack/relationship/relationship--2289f005-7863-4af5-b681-cdfc03d3f111.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--fc1e92ff-26b0-4c4e-8a23-45747eba7fda",
+ "id": "bundle--c8111871-1d30-42c5-a226-e245b3a8ad79",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2289f005-7863-4af5-b681-cdfc03d3f111",
"created": "2023-09-29T18:56:08.414Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:56:08.414Z",
+ "modified": "2025-04-16T23:01:32.376Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json b/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json
index 74dc692a7f..29dd55d539 100644
--- a/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json
+++ b/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6080612b-82d4-466a-924a-9e6f186d37d1",
+ "id": "bundle--bac2cd0c-ceca-4fbe-a517-97459ca09e93",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:10:58.645Z",
+ "modified": "2025-04-16T23:01:32.592Z",
"description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) can collect AutoCad files with drawings. These drawings may contain operational information. (Citation: ESET)\n",
"relationship_type": "uses",
"source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57",
"target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--22ba5443-ea49-4076-a666-722eb5352f70.json b/ics-attack/relationship/relationship--22ba5443-ea49-4076-a666-722eb5352f70.json
index 58c571aba4..8185e265fc 100644
--- a/ics-attack/relationship/relationship--22ba5443-ea49-4076-a666-722eb5352f70.json
+++ b/ics-attack/relationship/relationship--22ba5443-ea49-4076-a666-722eb5352f70.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6594e2bd-f49c-4f4a-a0ff-02cb8a7d345a",
+ "id": "bundle--b0bf252c-5fb0-409f-b7e3-3db270e31891",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--22ba5443-ea49-4076-a666-722eb5352f70",
"created": "2023-09-28T20:02:45.697Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:02:45.697Z",
+ "modified": "2025-04-16T23:01:32.818Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--232c7049-7609-46a9-8bbe-38672713f853.json b/ics-attack/relationship/relationship--232c7049-7609-46a9-8bbe-38672713f853.json
index 00b48bb35b..f7198145b3 100644
--- a/ics-attack/relationship/relationship--232c7049-7609-46a9-8bbe-38672713f853.json
+++ b/ics-attack/relationship/relationship--232c7049-7609-46a9-8bbe-38672713f853.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--92ba7422-6723-464a-9515-8abb63fa1a12",
+ "id": "bundle--dcead0b7-e517-4922-aa5c-a36bee96c982",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--232c7049-7609-46a9-8bbe-38672713f853",
"created": "2023-09-28T21:15:32.371Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:15:32.371Z",
+ "modified": "2025-04-16T23:01:33.029Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49.json b/ics-attack/relationship/relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49.json
index 8427f9993a..8e256fcb7c 100644
--- a/ics-attack/relationship/relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49.json
+++ b/ics-attack/relationship/relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--44fdf0ca-da78-446f-94ca-4db9b97e27b1",
+ "id": "bundle--8b2954dd-e5e3-468c-aef5-aedf2ce0f7d6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49",
"created": "2023-09-29T16:43:53.940Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:43:53.940Z",
+ "modified": "2025-04-16T23:01:33.285Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json b/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json
index b9922a4c7c..d94e77a1dc 100644
--- a/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json
+++ b/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--74147cae-61c9-40cd-85a7-7ccca24b274b",
+ "id": "bundle--878ea9e4-ccfa-4b12-8e0e-331eb27979d2",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--234da455-b795-4788-bc5d-22b4b58b2dc7",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--234da455-b795-4788-bc5d-22b4b58b2dc7",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.212Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:33.516Z",
"description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--23851bda-49de-4f35-979f-c4e6b5742389.json b/ics-attack/relationship/relationship--23851bda-49de-4f35-979f-c4e6b5742389.json
index 0aa6a37b0f..1001e5cd8b 100644
--- a/ics-attack/relationship/relationship--23851bda-49de-4f35-979f-c4e6b5742389.json
+++ b/ics-attack/relationship/relationship--23851bda-49de-4f35-979f-c4e6b5742389.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f284adf5-bd75-4a41-809b-32a405df364f",
+ "id": "bundle--13e5299e-b15c-4a36-a8d2-1a5644745d2f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--23851bda-49de-4f35-979f-c4e6b5742389",
"created": "2024-04-09T20:59:53.669Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:59:53.669Z",
+ "modified": "2025-04-16T23:01:33.748Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json b/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json
index 4f3034ae33..a50a16e43b 100644
--- a/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json
+++ b/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5f5976df-55ab-4bbd-b14c-794cda8fdc7d",
+ "id": "bundle--d76319e0-84d9-40b8-be21-1a93a4f0db9a",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T13:19:12.382Z",
+ "modified": "2025-04-16T23:01:33.963Z",
"description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9",
"target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json b/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json
index fd1d941863..bc02445aea 100644
--- a/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json
+++ b/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--fba1cb42-c3ca-4952-838e-ce3b8c78e199",
+ "id": "bundle--3b0d66b0-b82b-41ec-9b68-995ecc5b3f69",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.138Z",
- "relationship_type": "mitigates",
- "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n",
- "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401",
- "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004",
@@ -23,9 +15,16 @@
"url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:34.178Z",
+ "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401",
+ "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json b/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json
index 667d831a33..a57b86881d 100644
--- a/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json
+++ b/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--4f5788be-2378-48db-9905-b92677821627",
+ "id": "bundle--8666f77d-57ba-4160-ba0a-2615497fb318",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.169Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:34.413Z",
"description": "Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
"target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07.json b/ics-attack/relationship/relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07.json
index 26cd9a004d..f1c1f84c07 100644
--- a/ics-attack/relationship/relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07.json
+++ b/ics-attack/relationship/relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f5383771-0522-4be8-b34d-aa56b6f248fd",
+ "id": "bundle--c08659ce-401d-45f4-ad24-31732f911828",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07",
"created": "2023-09-28T20:25:47.357Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:25:47.357Z",
+ "modified": "2025-04-16T23:01:34.622Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--245c8c36-28e5-4508-a585-7768cb33299a.json b/ics-attack/relationship/relationship--245c8c36-28e5-4508-a585-7768cb33299a.json
index 0e2d653273..d4780e75e7 100644
--- a/ics-attack/relationship/relationship--245c8c36-28e5-4508-a585-7768cb33299a.json
+++ b/ics-attack/relationship/relationship--245c8c36-28e5-4508-a585-7768cb33299a.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--0e6a682d-28cc-4eb0-92c1-baef822f7224",
+ "id": "bundle--089038f6-e821-4f25-a01e-2191a800f78e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--245c8c36-28e5-4508-a585-7768cb33299a",
"created": "2023-03-10T20:06:10.209Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-10T20:06:10.209Z",
+ "modified": "2025-04-16T23:01:34.847Z",
"description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the system over radio.(Citation: Marshall Abrams July 2008)",
"relationship_type": "uses",
"source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d.json b/ics-attack/relationship/relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d.json
index 0d965d7837..0fe254c0bc 100644
--- a/ics-attack/relationship/relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d.json
+++ b/ics-attack/relationship/relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8631d076-3e74-488f-bca9-7637f116c316",
+ "id": "bundle--cad8346f-1d83-4220-a507-27b9f253c142",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d",
"created": "2024-04-09T21:00:24.049Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T21:00:24.049Z",
+ "modified": "2025-04-16T23:01:35.080Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--24885921-734f-46c1-85d7-3f79e0b886d6.json b/ics-attack/relationship/relationship--24885921-734f-46c1-85d7-3f79e0b886d6.json
index 5b95ce841d..1fe4784f6c 100644
--- a/ics-attack/relationship/relationship--24885921-734f-46c1-85d7-3f79e0b886d6.json
+++ b/ics-attack/relationship/relationship--24885921-734f-46c1-85d7-3f79e0b886d6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--914c8572-33dc-46d2-b68c-362210c2a156",
+ "id": "bundle--87f218c1-895e-4237-826a-fa58ec46727d",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.257Z",
+ "modified": "2025-04-16T23:01:35.317Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable. (Citation: Ukraine15 - EISAC - 201603)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json b/ics-attack/relationship/relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json
index 85b1a19dd8..582a9b9f68 100644
--- a/ics-attack/relationship/relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json
+++ b/ics-attack/relationship/relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3555fa37-ee6e-4fd7-84d7-41e74261db00",
+ "id": "bundle--7c30d559-767f-4e57-a10e-7e906396c858",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5",
"created": "2023-09-29T17:07:55.738Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:07:55.738Z",
+ "modified": "2025-04-16T23:01:35.532Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json b/ics-attack/relationship/relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json
index b0de33086e..db46d97474 100644
--- a/ics-attack/relationship/relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json
+++ b/ics-attack/relationship/relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--662ecc3a-f4a9-4c04-8252-f016181fa013",
+ "id": "bundle--ec585b4e-98fa-4c3b-ac6b-d87054726af0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe",
"created": "2023-09-28T20:10:06.838Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:10:06.838Z",
+ "modified": "2025-04-16T23:01:35.763Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--250212f0-a149-4a14-af83-94f7fcedc021.json b/ics-attack/relationship/relationship--250212f0-a149-4a14-af83-94f7fcedc021.json
index 8f9751d935..1fb15b6a69 100644
--- a/ics-attack/relationship/relationship--250212f0-a149-4a14-af83-94f7fcedc021.json
+++ b/ics-attack/relationship/relationship--250212f0-a149-4a14-af83-94f7fcedc021.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--13629cd8-523d-4f1c-8ee0-ee104960a2d5",
+ "id": "bundle--12504941-3382-4f23-8c0c-a9abcca0ca34",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--250212f0-a149-4a14-af83-94f7fcedc021",
"created": "2023-09-28T20:26:29.934Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:26:29.934Z",
+ "modified": "2025-04-16T23:01:35.960Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--25281488-be20-4d83-89d1-1da7ea836037.json b/ics-attack/relationship/relationship--25281488-be20-4d83-89d1-1da7ea836037.json
index e07d6b8e39..5826849586 100644
--- a/ics-attack/relationship/relationship--25281488-be20-4d83-89d1-1da7ea836037.json
+++ b/ics-attack/relationship/relationship--25281488-be20-4d83-89d1-1da7ea836037.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5fb98e18-3089-4eac-88e8-d4c51c256c9b",
+ "id": "bundle--5ac28ca7-921a-4aee-9a4e-078363280a37",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--25281488-be20-4d83-89d1-1da7ea836037",
"created": "2023-09-29T17:40:47.898Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:40:47.898Z",
+ "modified": "2025-04-16T23:01:36.185Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json b/ics-attack/relationship/relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json
index a4c50fa688..ac07b4de4e 100644
--- a/ics-attack/relationship/relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json
+++ b/ics-attack/relationship/relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json
@@ -1,33 +1,32 @@
{
"type": "bundle",
- "id": "bundle--e73f8f60-11b2-4a1a-a27f-a78083f95c2b",
+ "id": "bundle--59d5a394-7141-4719-a563-af074cef9dd0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3",
"created": "2023-03-30T18:57:21.754Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "Kevin Savage and Branko Spasojevic",
- "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ",
- "url": "https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99"
+ "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20190930124504/https:/www.symantec.com/security-center/writeup/2012-052811-0308-99"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T18:57:21.754Z",
+ "modified": "2025-04-16T23:01:36.409Z",
"description": "[Flame](https://attack.mitre.org/software/S0143) has built-in modules to gather information from compromised computers. (Citation: Kevin Savage and Branko Spasojevic)",
"relationship_type": "uses",
"source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json b/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json
index ec2240d955..54f43a0661 100644
--- a/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json
+++ b/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4720c111-ebbe-4025-978f-d91d5712b5e8",
+ "id": "bundle--d5e38639-beac-4b48-bceb-9a64aa408caf",
"spec_version": "2.0",
"objects": [
{
@@ -22,27 +22,26 @@
},
{
"source_name": "FireEye APT38 Oct 2018",
- "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.",
+ "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.",
"url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf"
},
{
"source_name": "LogRhythm WannaCry",
- "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.",
- "url": "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/"
+ "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved December 8, 2024.",
+ "url": "https://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-08-26T16:33:33.986Z",
+ "modified": "2025-04-16T22:03:05.097Z",
"description": "(Citation: FireEye APT38 Oct 2018)(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)",
"relationship_type": "uses",
"source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--26254163-4f25-4d30-8456-ca093459ff32.json b/ics-attack/relationship/relationship--26254163-4f25-4d30-8456-ca093459ff32.json
index 3fc0ff9f88..6d436d6282 100644
--- a/ics-attack/relationship/relationship--26254163-4f25-4d30-8456-ca093459ff32.json
+++ b/ics-attack/relationship/relationship--26254163-4f25-4d30-8456-ca093459ff32.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f455bee5-d660-4cad-a8b5-34187ccae921",
+ "id": "bundle--50856dcc-fc7b-43da-acda-da7140ec216f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:32:29.856Z",
+ "modified": "2025-04-16T23:01:36.720Z",
"description": "Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d.json b/ics-attack/relationship/relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d.json
index cf8b230b1c..db231e8e32 100644
--- a/ics-attack/relationship/relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d.json
+++ b/ics-attack/relationship/relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--42e28991-a4e1-4597-b3f3-d260db419118",
+ "id": "bundle--23b90b0f-cccf-4d1c-8a06-37958d66828a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d",
"created": "2022-09-26T16:16:21.749Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:16:21.749Z",
+ "modified": "2025-04-16T23:01:36.915Z",
"description": "Monitor applications logs for any access attempts to operational databases (e.g., historians) or other sources of operational data within the ICS environment. These devices should be monitored for adversary collection using techniques relevant to the underlying technologies (e.g., Windows, Linux).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json b/ics-attack/relationship/relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json
index ab2af5a57b..6080ee99c7 100644
--- a/ics-attack/relationship/relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json
+++ b/ics-attack/relationship/relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c2c1b23a-54ba-44d7-934b-66af24e23c7c",
+ "id": "bundle--33a36967-48a4-412a-a1f4-f23a3fa0414d",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-05T22:05:00.124Z",
+ "modified": "2025-04-16T23:01:37.117Z",
"description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary disabled alarms at four pumping stations, preventing notifications to the central computer.(Citation: Marshall Abrams July 2008)",
"relationship_type": "uses",
"source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json b/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json
index 48ec2eef7e..6307812392 100644
--- a/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json
+++ b/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--556be8db-977b-4d84-8c36-c3f5d12c4baa",
+ "id": "bundle--48f1cc0f-f2c0-4e19-91d7-cb6a61aa6e09",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T16:54:09.871Z",
+ "modified": "2025-04-16T23:01:37.322Z",
"description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. (Citation: Dragos October 2018)",
"relationship_type": "uses",
"source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
"target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json b/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json
index a0ea424519..8ecd8c4e70 100644
--- a/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json
+++ b/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--05bdcc1c-e36f-4e4e-9672-d1886500f9ba",
+ "id": "bundle--140a0f3a-a655-4047-9585-7dce96331356",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T13:49:04.746Z",
+ "modified": "2025-04-16T23:01:37.528Z",
"description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json b/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json
index 3781524bc0..44634e74b8 100644
--- a/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json
+++ b/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--1a38874e-89a8-4be4-8aff-f67eeb56abe4",
+ "id": "bundle--7417fdf0-7bc9-4ff0-8a49-1a487e6e03b0",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.170Z",
- "relationship_type": "mitigates",
- "description": "Restrict root or administrator access on user accounts to limit the ability to capture promiscuous traffic on a network through common packet capture tools. (Citation: National Institute of Standards and Technology April 2013)\n",
- "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
- "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "National Institute of Standards and Technology April 2013",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:37.745Z",
+ "description": "Restrict root or administrator access on user accounts to limit the ability to capture promiscuous traffic on a network through common packet capture tools. (Citation: National Institute of Standards and Technology April 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
+ "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--274994e7-1fe9-463a-9979-46c72107bf9b.json b/ics-attack/relationship/relationship--274994e7-1fe9-463a-9979-46c72107bf9b.json
index 4d030c5238..1056e3a5bf 100644
--- a/ics-attack/relationship/relationship--274994e7-1fe9-463a-9979-46c72107bf9b.json
+++ b/ics-attack/relationship/relationship--274994e7-1fe9-463a-9979-46c72107bf9b.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--ec726f0d-59d4-4a5b-a047-a3e929caf94e",
+ "id": "bundle--fc6a788d-5116-4c43-aa04-38fec2a820d9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--274994e7-1fe9-463a-9979-46c72107bf9b",
"created": "2023-03-30T18:56:47.685Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T18:56:47.685Z",
+ "modified": "2025-04-16T23:01:37.951Z",
"description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from infected systems. (Citation: ESET)",
"relationship_type": "uses",
"source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57",
"target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json b/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json
index 4ffeeb2fb2..6d4f7b1321 100644
--- a/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json
+++ b/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--6994c376-66c9-4adf-b259-0b69c869b9ae",
+ "id": "bundle--4d7c2cb6-89a7-401c-9e97-f699e794e793",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--276aa6a6-e700-470a-8f72-02537ba7be9d",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.128Z",
- "relationship_type": "mitigates",
- "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n",
- "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02",
- "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Keith Stouffer May 2015",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:38.152Z",
+ "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02",
+ "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json b/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json
index 7ea8844305..45f59a0098 100644
--- a/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json
+++ b/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--70fb9073-bdae-4474-85db-9f0189ae8b69",
+ "id": "bundle--31f1c3da-1abc-461d-aa0c-b08c2cafb12c",
"spec_version": "2.0",
"objects": [
{
@@ -29,15 +29,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.434Z",
+ "modified": "2025-04-16T23:01:38.377Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to remotely connect to Schneider PLCs and perform maintenance functions on the device.(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use Telnet to upload payloads and execute commands on Omron PLCs.\t(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream) The malware can also use HTTP-based CGI scripts (e.g., cpu.fcgi, ecat.fcgi) to gain administrative access to the device.(Citation: Wylie-22) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad.json b/ics-attack/relationship/relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad.json
index 5ee0a8f552..eeca8ee990 100644
--- a/ics-attack/relationship/relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad.json
+++ b/ics-attack/relationship/relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--25c4e9be-b811-494d-bd3e-b24f5a881b97",
+ "id": "bundle--9d176f44-2328-4a2d-8582-0761ab6a0ed8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad",
"created": "2023-09-29T18:05:32.443Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:05:32.443Z",
+ "modified": "2025-04-16T23:01:38.580Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json b/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json
index a8b45758c6..9c6b955aea 100644
--- a/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json
+++ b/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--41d79a03-f51c-4df6-995d-64959f310057",
+ "id": "bundle--80e27fb1-5988-4a45-af53-8c4ff045a981",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:10:43.996Z",
+ "modified": "2025-04-16T23:01:38.801Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e.json b/ics-attack/relationship/relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e.json
index 3c97ede0a2..d44b3725e3 100644
--- a/ics-attack/relationship/relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e.json
+++ b/ics-attack/relationship/relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--012329d0-6968-492c-8f06-a24337bf6070",
+ "id": "bundle--db34cf90-a481-4594-880c-945bb52a7e4e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e",
"created": "2023-09-28T21:26:47.115Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:26:47.115Z",
+ "modified": "2025-04-16T23:01:39.000Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--296375b0-817d-4f42-afe1-4308f5edf973.json b/ics-attack/relationship/relationship--296375b0-817d-4f42-afe1-4308f5edf973.json
index 5531642a76..b80ae8d8c9 100644
--- a/ics-attack/relationship/relationship--296375b0-817d-4f42-afe1-4308f5edf973.json
+++ b/ics-attack/relationship/relationship--296375b0-817d-4f42-afe1-4308f5edf973.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1f6dc4cc-06dd-4b6b-84f1-0bdf76177520",
+ "id": "bundle--8c371c97-5f6a-4dcc-bf0a-0c98080c105a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--296375b0-817d-4f42-afe1-4308f5edf973",
"created": "2023-09-28T21:10:25.193Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:10:25.193Z",
+ "modified": "2025-04-16T23:01:39.198Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json b/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json
index 4595161517..ce81928f48 100644
--- a/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json
+++ b/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--2d67ed3d-5945-459e-89ca-c88d7be1af75",
+ "id": "bundle--2e4a7712-b7c6-4b23-8385-722146d8f4cb",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--2971151c-0e8a-4567-84dc-01cf5dd35005",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--2971151c-0e8a-4567-84dc-01cf5dd35005",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.199Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:39.441Z",
"description": "Digital signatures may be used to ensure application DLLs are authentic prior to execution.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a",
"target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--29b85313-645b-4fb1-b5c2-f580d111760b.json b/ics-attack/relationship/relationship--29b85313-645b-4fb1-b5c2-f580d111760b.json
index 9fbb462c2c..393dab8e56 100644
--- a/ics-attack/relationship/relationship--29b85313-645b-4fb1-b5c2-f580d111760b.json
+++ b/ics-attack/relationship/relationship--29b85313-645b-4fb1-b5c2-f580d111760b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d2676b25-d263-4de4-a4ec-37d76774a3c8",
+ "id": "bundle--ec7aa187-67f0-4bd7-acf9-6b8405b0b51d",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:36:50.910Z",
+ "modified": "2025-04-16T23:01:39.670Z",
"description": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \"0\" indicates LLMNR is disabled.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json b/ics-attack/relationship/relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json
index 904b5b8076..8fcb7e8866 100644
--- a/ics-attack/relationship/relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json
+++ b/ics-attack/relationship/relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--591531fa-1e0f-4f02-8932-14f616b62b5e",
+ "id": "bundle--415f0bf0-bc88-4a8a-aa65-257bd9a3acb5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81",
"created": "2023-09-29T18:46:39.854Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:46:39.854Z",
+ "modified": "2025-04-16T23:01:39.889Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2a451896-81aa-4eed-a444-4d04661adeeb.json b/ics-attack/relationship/relationship--2a451896-81aa-4eed-a444-4d04661adeeb.json
index 0fb76f5418..1e15323f77 100644
--- a/ics-attack/relationship/relationship--2a451896-81aa-4eed-a444-4d04661adeeb.json
+++ b/ics-attack/relationship/relationship--2a451896-81aa-4eed-a444-4d04661adeeb.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c93d661c-e882-40c1-8cb1-90de0192ed49",
+ "id": "bundle--8d2e7c7e-59b9-40fc-8bc4-6ee2bd10af3b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2a451896-81aa-4eed-a444-4d04661adeeb",
"created": "2023-09-29T16:43:42.911Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:43:42.911Z",
+ "modified": "2025-04-16T23:01:40.097Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe.json b/ics-attack/relationship/relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe.json
index 433b022275..5bf46bb213 100644
--- a/ics-attack/relationship/relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe.json
+++ b/ics-attack/relationship/relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7e2c9810-1bfb-4e03-bdd3-1b60b4d94e23",
+ "id": "bundle--67a576eb-6246-4a52-8b3f-b37aa8582bac",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe",
"created": "2023-09-28T19:38:46.361Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:38:46.361Z",
+ "modified": "2025-04-16T23:01:40.314Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json b/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json
index 8bae1ccd32..a36cd4d31e 100644
--- a/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json
+++ b/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--0df1c1ef-75c8-478a-b613-d196e6bfdcdb",
+ "id": "bundle--1f152868-d337-48a3-8fee-612949f77210",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.127Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:40.526Z",
"description": "Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433",
"target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json b/ics-attack/relationship/relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json
index 5e2b9baf96..6d1d5fb035 100644
--- a/ics-attack/relationship/relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json
+++ b/ics-attack/relationship/relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9ad12cb4-a05d-4ed8-abb0-e5c3eea64b0a",
+ "id": "bundle--c4db6a51-a666-4d27-b22c-130277ba1aea",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1",
"created": "2023-09-29T18:46:54.684Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:46:54.684Z",
+ "modified": "2025-04-16T23:01:40.766Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2c79920a-f2d1-4114-a1df-924835da645c.json b/ics-attack/relationship/relationship--2c79920a-f2d1-4114-a1df-924835da645c.json
index 6f7d7c8c2f..45e6fd1791 100644
--- a/ics-attack/relationship/relationship--2c79920a-f2d1-4114-a1df-924835da645c.json
+++ b/ics-attack/relationship/relationship--2c79920a-f2d1-4114-a1df-924835da645c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--eee637c8-d946-4833-8865-84232cdd4c17",
+ "id": "bundle--ee3d6020-3512-454a-8f79-9a9137b87a8d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2c79920a-f2d1-4114-a1df-924835da645c",
"created": "2023-09-28T19:53:00.672Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:53:00.672Z",
+ "modified": "2025-04-16T23:01:40.983Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json b/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json
index f9bd7012ad..df77221ad1 100644
--- a/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json
+++ b/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--092c9bd7-c4a8-464b-991f-87e268582e47",
+ "id": "bundle--56f7d9af-d568-424e-823e-40192d661583",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.071Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:41.322Z",
"description": "Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
"target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json b/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json
index 71cb67512e..817c79d020 100644
--- a/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json
+++ b/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--75ee905c-5229-4899-9f4f-306a4215e7e5",
+ "id": "bundle--c379db09-f115-4b69-a79d-99a9adc10bfd",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.150Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:41.525Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919.json b/ics-attack/relationship/relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919.json
index fff9c5fd0a..4cdab6a78d 100644
--- a/ics-attack/relationship/relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919.json
+++ b/ics-attack/relationship/relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--03882ee5-916c-4157-96a6-3cad9b21903a",
+ "id": "bundle--18dde590-06b0-4967-b0b7-6cfff7c65b00",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919",
"created": "2022-09-27T16:30:41.482Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T16:30:41.482Z",
+ "modified": "2025-04-16T23:01:41.751Z",
"description": "Monitor device management protocols for functions that modify programs such as online edit and program append events.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json b/ics-attack/relationship/relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json
index 7219a2d087..1febdcf52a 100644
--- a/ics-attack/relationship/relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json
+++ b/ics-attack/relationship/relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--00d7d936-9ded-417c-b87b-9b4f16b49015",
+ "id": "bundle--324329c6-071c-4c76-83e6-968f0d516209",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2",
"created": "2023-09-29T16:33:12.887Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:33:12.887Z",
+ "modified": "2025-04-16T23:01:41.964Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json b/ics-attack/relationship/relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json
index c4701fc6f6..8e82b079d1 100644
--- a/ics-attack/relationship/relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json
+++ b/ics-attack/relationship/relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--189f465e-85ad-4c9c-b102-607fbba44d33",
+ "id": "bundle--3338a609-988d-4651-ad35-0ec3d437d5c6",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:02:57.267Z",
+ "modified": "2025-04-16T23:01:42.183Z",
"description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
"target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json b/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json
index aa36a228c2..563a49c1ad 100644
--- a/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json
+++ b/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--c8ff73e5-bf77-4745-8295-e21d5aa6e1dd",
+ "id": "bundle--69c1350a-a87f-4fb8-9423-fffc5e734eff",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.126Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:42.413Z",
"description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110",
"target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe.json b/ics-attack/relationship/relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe.json
index d88690d0a1..4c072590a4 100644
--- a/ics-attack/relationship/relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe.json
+++ b/ics-attack/relationship/relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6903083e-0686-46dd-a7fa-a0866f3aa821",
+ "id": "bundle--b1e510f5-9942-41a8-8ab1-638b3c79c585",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe",
"created": "2023-09-29T17:39:15.857Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:39:15.857Z",
+ "modified": "2025-04-16T23:01:42.621Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2e0769d7-088e-45d5-a262-6dbc91a95073.json b/ics-attack/relationship/relationship--2e0769d7-088e-45d5-a262-6dbc91a95073.json
index fc9e5b7051..ea48b6bb35 100644
--- a/ics-attack/relationship/relationship--2e0769d7-088e-45d5-a262-6dbc91a95073.json
+++ b/ics-attack/relationship/relationship--2e0769d7-088e-45d5-a262-6dbc91a95073.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9ae5cf30-d475-4416-9a6d-da8b6ced70bc",
+ "id": "bundle--de3a8eed-cd2a-4bdd-adf4-ed0914a0a5d0",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:51:31.992Z",
+ "modified": "2025-04-16T23:01:42.843Z",
"description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
"target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json b/ics-attack/relationship/relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json
index 6c1d954991..088ad61b5a 100644
--- a/ics-attack/relationship/relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json
+++ b/ics-attack/relationship/relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--94683c37-d38b-423e-97a0-e28884824dad",
+ "id": "bundle--914117bf-c453-4fb8-9a96-0b90783f7f9d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a",
"created": "2023-09-28T19:40:51.425Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:40:51.425Z",
+ "modified": "2025-04-16T23:01:43.048Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7.json b/ics-attack/relationship/relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7.json
index 45e82d4ac6..0c127186cf 100644
--- a/ics-attack/relationship/relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7.json
+++ b/ics-attack/relationship/relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--13639f78-7091-481e-9f98-35216bc9a05b",
+ "id": "bundle--511c727d-7b44-4bb5-8d8c-38ce3d060960",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:10:53.087Z",
+ "modified": "2025-04-16T23:01:43.273Z",
"description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json b/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json
index 747ecd6c74..0f349733a4 100644
--- a/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json
+++ b/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--bd97b083-ef18-4fc8-ba92-6b94fdaeb1ad",
+ "id": "bundle--63416b6b-63c8-46b5-9571-1d19483290e3",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.220Z",
- "relationship_type": "mitigates",
- "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n",
- "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
- "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Keith Stouffer May 2015",
@@ -28,9 +20,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:43.495Z",
+ "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
+ "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json b/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json
index 9d1e1ddc15..7f854e2ac5 100644
--- a/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json
+++ b/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--91cae2e5-112e-4123-b996-8a7e5a73881f",
+ "id": "bundle--d5b48ed0-f079-4c8b-8b88-307ad98a795c",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.173Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:43.725Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json b/ics-attack/relationship/relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json
index 6915abc03d..5187683048 100644
--- a/ics-attack/relationship/relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json
+++ b/ics-attack/relationship/relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--081ab002-4560-4c0b-a241-d1241f8dd893",
+ "id": "bundle--aa7446d1-f17a-4dff-8cae-3cb755b3a1dd",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8",
"created": "2023-09-28T20:02:05.365Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:02:05.365Z",
+ "modified": "2025-04-16T23:01:43.954Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f.json b/ics-attack/relationship/relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f.json
index c07a36fa60..8ee8e36572 100644
--- a/ics-attack/relationship/relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f.json
+++ b/ics-attack/relationship/relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--47587f7c-c538-4ea5-af57-72b22386366e",
+ "id": "bundle--0afab045-d530-4d64-8f75-c48bfccc593d",
"spec_version": "2.0",
"objects": [
{
@@ -12,7 +12,7 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
},
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.258Z",
+ "modified": "2025-04-16T23:01:44.177Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems. Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2f457bef-1721-4e0f-b236-24e4652a31b4.json b/ics-attack/relationship/relationship--2f457bef-1721-4e0f-b236-24e4652a31b4.json
index 3194d70db8..ec864b32a5 100644
--- a/ics-attack/relationship/relationship--2f457bef-1721-4e0f-b236-24e4652a31b4.json
+++ b/ics-attack/relationship/relationship--2f457bef-1721-4e0f-b236-24e4652a31b4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0dd06b97-0528-4ea3-a8d2-96600310ad35",
+ "id": "bundle--714dff97-01ed-4fb4-861b-e9700ca36f41",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2f457bef-1721-4e0f-b236-24e4652a31b4",
"created": "2023-09-29T16:29:53.181Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:29:53.181Z",
+ "modified": "2025-04-16T23:01:44.422Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json b/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json
index d72d4b4509..c8fc8ee045 100644
--- a/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json
+++ b/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--a64ad4f4-6729-4c25-9b29-223cd31c407f",
+ "id": "bundle--93b14613-5ca8-44f8-906a-9eb1f3a6a7ce",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.201Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:44.642Z",
"description": "Execution prevention may prevent malicious scripts from accessing protected resources.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json b/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json
index 9cca3479df..5e4017c8cf 100644
--- a/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json
+++ b/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--b8c07424-fb04-4701-9d51-392934db7725",
+ "id": "bundle--03dc429c-57dc-4cc6-8727-25f8626f62de",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.240Z",
- "relationship_type": "mitigates",
- "description": "Reduce the range of RF communications to their intended operating range when possible. Propagation reduction methods may include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n",
- "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e",
- "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "DHS National Urban Security Technology Laboratory April 2019",
@@ -23,9 +15,16 @@
"url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:44.915Z",
+ "description": "Reduce the range of RF communications to their intended operating range when possible. Propagation reduction methods may include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e",
+ "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd.json b/ics-attack/relationship/relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd.json
index c52f6b144c..9b01eb87f8 100644
--- a/ics-attack/relationship/relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd.json
+++ b/ics-attack/relationship/relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--346a9bfc-b2f3-41f4-8a1c-f5b84b03a8fe",
+ "id": "bundle--787e4f72-7cd3-4692-b0a8-7d4f43e83d87",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd",
"created": "2024-04-09T21:02:56.157Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T21:02:56.157Z",
+ "modified": "2025-04-16T23:01:45.125Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50.json b/ics-attack/relationship/relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50.json
index 215ba02c81..24f511264f 100644
--- a/ics-attack/relationship/relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50.json
+++ b/ics-attack/relationship/relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--97a90cc4-9b67-4f9a-aaad-9eae9d334707",
+ "id": "bundle--67e5b0e5-9575-47f8-8568-5c544b0556fd",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50",
"created": "2023-09-28T20:30:21.865Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:30:21.865Z",
+ "modified": "2025-04-16T23:01:45.376Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json b/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json
index 1d0d4ff0c4..f8ae745f63 100644
--- a/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json
+++ b/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--a37d8640-bce0-48b8-8a20-ff7f52f78a47",
+ "id": "bundle--2caec9ee-faf8-408a-be74-63bd279ef80e",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-10-14T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.226Z",
- "relationship_type": "mitigates",
- "description": "Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with. (Citation: National Institute of Standards and Technology April 2013)\n",
- "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc",
- "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "National Institute of Standards and Technology April 2013",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:45.597Z",
+ "description": "Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with. (Citation: National Institute of Standards and Technology April 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc",
+ "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json b/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json
index 3bff59c522..101c101915 100644
--- a/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json
+++ b/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--da4c36b7-ffdc-4f44-b415-68ffbe51f611",
+ "id": "bundle--3a57e597-ee15-4abe-b90b-c0d0f58ac2a1",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:11:26.196Z",
+ "modified": "2025-04-16T23:01:45.832Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9.json b/ics-attack/relationship/relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9.json
index 6a5df8e238..11fc47917f 100644
--- a/ics-attack/relationship/relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9.json
+++ b/ics-attack/relationship/relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e7572653-34cc-4a59-8622-47a6038427f3",
+ "id": "bundle--ff9b5560-3ecf-49c1-9036-23857649239e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9",
"created": "2023-09-28T19:43:28.167Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:43:28.167Z",
+ "modified": "2025-04-16T23:01:46.041Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2fe222c4-cc81-473d-956e-235e2961a5c3.json b/ics-attack/relationship/relationship--2fe222c4-cc81-473d-956e-235e2961a5c3.json
index 44851d702e..1be08bd658 100644
--- a/ics-attack/relationship/relationship--2fe222c4-cc81-473d-956e-235e2961a5c3.json
+++ b/ics-attack/relationship/relationship--2fe222c4-cc81-473d-956e-235e2961a5c3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b8437d78-477d-4df4-b03c-f6ce8f65e91b",
+ "id": "bundle--7dfad800-0abc-40fc-a0aa-fcb68c0329b3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--2fe222c4-cc81-473d-956e-235e2961a5c3",
"created": "2023-09-29T17:04:26.769Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:04:26.769Z",
+ "modified": "2025-04-16T23:01:46.267Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json b/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json
index f405abe07c..2e3c745acc 100644
--- a/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json
+++ b/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--fb7207e6-41cd-46c0-a741-610351166a15",
+ "id": "bundle--523be18a-3a1a-4883-8d77-e660c9afdf22",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--2ff82993-5010-4450-89e7-341f449f3263",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--2ff82993-5010-4450-89e7-341f449f3263",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.092Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:46.513Z",
"description": "Consider periodic reviews of accounts and privileges for critical and sensitive repositories.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
"target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json b/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json
index cd9eac649f..0c328b067a 100644
--- a/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json
+++ b/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--8f9c4589-784f-428f-8b68-c1f3279d2a07",
+ "id": "bundle--a8cae23b-a5c7-440a-84fa-426e05617292",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--2fffbea8-c031-4de8-a451-447bbbe3e224",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--2fffbea8-c031-4de8-a451-447bbbe3e224",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.201Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:46.724Z",
"description": "Consider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--305866af-1f36-49e0-a57d-d5faaf29011c.json b/ics-attack/relationship/relationship--305866af-1f36-49e0-a57d-d5faaf29011c.json
index 5bc6013cc6..9229c800db 100644
--- a/ics-attack/relationship/relationship--305866af-1f36-49e0-a57d-d5faaf29011c.json
+++ b/ics-attack/relationship/relationship--305866af-1f36-49e0-a57d-d5faaf29011c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4faa2f29-c236-45c3-885b-48ac626bf08d",
+ "id": "bundle--056b2e45-9172-4e3c-b5fe-a69ecb45913a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--305866af-1f36-49e0-a57d-d5faaf29011c",
"created": "2023-09-28T20:34:52.740Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:34:52.740Z",
+ "modified": "2025-04-16T23:01:46.946Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json b/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json
index e2b83e9288..7c7e3830a2 100644
--- a/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json
+++ b/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ec030199-2f9e-4bc0-bfcc-911a4734ca17",
+ "id": "bundle--bd75aa5c-d768-4b0a-90d7-8ddb70d14c45",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:04:11.691Z",
+ "modified": "2025-04-16T23:01:47.152Z",
"description": "[REvil](https://attack.mitre.org/software/S0496) searches for all processes listed in the prc field within its configuration file and then terminates each process. (Citation: McAfee Labs October 2019)",
"relationship_type": "uses",
"source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--31203165-79d0-42e5-81f1-62150dea2c43.json b/ics-attack/relationship/relationship--31203165-79d0-42e5-81f1-62150dea2c43.json
index 29338e9dda..64d2910f8a 100644
--- a/ics-attack/relationship/relationship--31203165-79d0-42e5-81f1-62150dea2c43.json
+++ b/ics-attack/relationship/relationship--31203165-79d0-42e5-81f1-62150dea2c43.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9c82d73f-bd17-4011-b18b-9dcb228ee330",
+ "id": "bundle--893131ba-ec70-4873-a9d6-3cc0b18c061a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:16:37.643Z",
+ "modified": "2025-04-16T23:01:47.392Z",
"description": "Monitor network data for uncommon data flows (e.g., time of day, unusual source/destination address) that may be related to abuse of [Valid Accounts](https://attack.mitre.org/techniques/T0859) to log into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json b/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json
index 8e6c0777d0..23a9d9e63a 100644
--- a/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json
+++ b/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ec8afafd-23b0-4556-9e8c-2373c0bcbbcc",
+ "id": "bundle--4697100a-d65b-4d30-b8cb-4f4b5554ed85",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:00:39.796Z",
+ "modified": "2025-04-16T23:01:47.602Z",
"description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) utilizes the PLC communication and management API to load executable Program Organization Units. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)",
"relationship_type": "uses",
"source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json b/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json
index 4601a4d944..1fa0fea62d 100644
--- a/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json
+++ b/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--baedced0-17ba-4238-ab5a-292de4d85b65",
+ "id": "bundle--28ad3d57-a2d4-4115-a2ed-a4d68bac6e29",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-10-04T11:00:14.895Z",
+ "modified": "2025-04-16T23:01:47.848Z",
"description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has been observed targeting organizations using spearphishing documents with embedded malicious payloads. (Citation: Novetta Threat Research Group February 2016) Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. (Citation: Eduard Kovacs March 2018)",
"relationship_type": "uses",
"source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a.json b/ics-attack/relationship/relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a.json
index 09f844e465..cbd04a2ba3 100644
--- a/ics-attack/relationship/relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a.json
+++ b/ics-attack/relationship/relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--76bb2f4b-507a-4b69-9527-7c25be047c9f",
+ "id": "bundle--f5103844-92b5-4e74-bce6-245d1d39180f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a",
"created": "2023-10-02T20:18:11.933Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:18:11.933Z",
+ "modified": "2025-04-16T23:01:48.055Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce.json b/ics-attack/relationship/relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce.json
index a935adaa8b..79dd59c0b8 100644
--- a/ics-attack/relationship/relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce.json
+++ b/ics-attack/relationship/relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a7257fbf-a41f-4ab3-a3b9-4e63f018c2b1",
+ "id": "bundle--9efeeeef-0b0b-41eb-8a06-3e9dba273ea5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce",
"created": "2023-09-28T21:16:44.471Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:16:44.471Z",
+ "modified": "2025-04-16T23:01:48.301Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--321fc522-bc6b-4975-bee4-9098624d1e8c.json b/ics-attack/relationship/relationship--321fc522-bc6b-4975-bee4-9098624d1e8c.json
index c383a66205..8d6561d49b 100644
--- a/ics-attack/relationship/relationship--321fc522-bc6b-4975-bee4-9098624d1e8c.json
+++ b/ics-attack/relationship/relationship--321fc522-bc6b-4975-bee4-9098624d1e8c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0e5b9be4-8de4-4996-9aea-7a91191a8dfa",
+ "id": "bundle--0f51ea2b-aa53-43a9-8991-6d1cbc35baa4",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:32:18.815Z",
+ "modified": "2025-04-16T23:01:48.528Z",
"description": "Monitor for network traffic originating from unknown/unexpected devices or addresses. Local network traffic metadata could be used to identify unexpected connections, including unknown/unexpected source MAC addresses connecting to ports associated with operational protocols. Also, network management protocols such as DHCP and ARP may be helpful in identifying unexpected devices. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5.json b/ics-attack/relationship/relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5.json
index e4e3fc8709..3bb15f551c 100644
--- a/ics-attack/relationship/relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5.json
+++ b/ics-attack/relationship/relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--de631ef1-c709-49fd-90bc-27cf4faa8222",
+ "id": "bundle--6b556608-372b-4be8-958b-c1ffb8cc58c2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5",
"created": "2023-09-28T20:26:15.542Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:26:15.542Z",
+ "modified": "2025-04-16T23:01:48.778Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json b/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json
index 93bb35b654..ded1fd3335 100644
--- a/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json
+++ b/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e41dcf6e-490b-42d2-b909-5b019e3a18f5",
+ "id": "bundle--ec38488f-9410-4e02-8415-dbd7504c5ec5",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:11:45.996Z",
+ "modified": "2025-04-16T23:01:48.987Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) sends an SQL statement that creates a table and inserts a binary value into the table. The binary value is a hex string representation of the main Stuxnet DLL as an executable file (formed using resource 210) and an updated configuration data block. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b.json b/ics-attack/relationship/relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b.json
index ea5ff4e529..bb90ddd80e 100644
--- a/ics-attack/relationship/relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b.json
+++ b/ics-attack/relationship/relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a0b325d0-cfef-46bc-bfd3-e7aa5a8415aa",
+ "id": "bundle--9f0dfa18-f2bf-4c82-a64e-3d44ad06bbc5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b",
"created": "2023-09-28T21:21:07.833Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:21:07.833Z",
+ "modified": "2025-04-16T23:01:49.213Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json b/ics-attack/relationship/relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json
index 2c0d328e97..cfd98e3b7d 100644
--- a/ics-attack/relationship/relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json
+++ b/ics-attack/relationship/relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6d2364c8-6b42-4505-aa22-e1060b8c1bdf",
+ "id": "bundle--5d733443-f46a-461c-9026-fa236548293e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b",
"created": "2023-09-28T20:10:23.215Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:10:23.215Z",
+ "modified": "2025-04-16T23:01:49.426Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--32d15d1a-04ba-4035-907a-e2871425e8d1.json b/ics-attack/relationship/relationship--32d15d1a-04ba-4035-907a-e2871425e8d1.json
index a580481415..b836818692 100644
--- a/ics-attack/relationship/relationship--32d15d1a-04ba-4035-907a-e2871425e8d1.json
+++ b/ics-attack/relationship/relationship--32d15d1a-04ba-4035-907a-e2871425e8d1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2b15137b-7265-4255-acfe-e23b71cf415b",
+ "id": "bundle--836fd3dd-3dd4-4d16-b1af-7b840de6cc59",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--32d15d1a-04ba-4035-907a-e2871425e8d1",
"created": "2023-09-28T20:28:40.722Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:28:40.722Z",
+ "modified": "2025-04-16T23:01:49.640Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json b/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json
index fc174cd4e7..7cf7fb5473 100644
--- a/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json
+++ b/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--6156de32-da48-4de8-af51-7ca41c0ec6e0",
+ "id": "bundle--3c0c40bd-2e86-4bd5-ba4d-3942fa969cdf",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.130Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:49.868Z",
"description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
"target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3334e647-fd5d-481d-a7f9-66f73911a57a.json b/ics-attack/relationship/relationship--3334e647-fd5d-481d-a7f9-66f73911a57a.json
index 6398778076..6b2cbfa3d9 100644
--- a/ics-attack/relationship/relationship--3334e647-fd5d-481d-a7f9-66f73911a57a.json
+++ b/ics-attack/relationship/relationship--3334e647-fd5d-481d-a7f9-66f73911a57a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--be968f1f-c57d-44ee-9200-db7eac43ba54",
+ "id": "bundle--7b15f25c-1763-49d5-97f5-3115c34e2407",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3334e647-fd5d-481d-a7f9-66f73911a57a",
"created": "2023-09-28T19:45:30.291Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:45:30.291Z",
+ "modified": "2025-04-16T23:01:50.097Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json b/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json
index 6906b5ced5..2451bfaa74 100644
--- a/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json
+++ b/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--32b8262c-fb0c-4b1a-b919-f595a23dcfe4",
+ "id": "bundle--434d8c8a-855a-4874-877f-3e1410b4852c",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.092Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:50.313Z",
"description": "Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65",
"target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--337f366d-3d76-470c-8ee2-0e2252648282.json b/ics-attack/relationship/relationship--337f366d-3d76-470c-8ee2-0e2252648282.json
index 990313be56..0e3db1a2ee 100644
--- a/ics-attack/relationship/relationship--337f366d-3d76-470c-8ee2-0e2252648282.json
+++ b/ics-attack/relationship/relationship--337f366d-3d76-470c-8ee2-0e2252648282.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0f0cc7be-2383-4717-a1c7-6019a4f06720",
+ "id": "bundle--8e2a8ae8-9b6f-4dbe-ac77-b12ffdcec621",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--337f366d-3d76-470c-8ee2-0e2252648282",
"created": "2024-03-25T20:19:43.390Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-25T20:19:43.390Z",
+ "modified": "2025-04-16T23:01:50.518Z",
"description": "Disallow the execution of applications/programs which are not required for normal system functions, including any specific command-line arguments which may allow the execution of proxy commands or application binaries.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30",
"target_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7.json b/ics-attack/relationship/relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7.json
index 97838c3ea0..f6cead1587 100644
--- a/ics-attack/relationship/relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7.json
+++ b/ics-attack/relationship/relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b91993c8-7061-47e9-a811-4cca252cb8a8",
+ "id": "bundle--3b6b7cae-a086-4e4b-aad4-14f1dae62fe4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7",
"created": "2023-09-29T16:47:08.696Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:47:08.696Z",
+ "modified": "2025-04-16T23:01:50.768Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5.json b/ics-attack/relationship/relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5.json
index 37ac766b9d..52928625d2 100644
--- a/ics-attack/relationship/relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5.json
+++ b/ics-attack/relationship/relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b1a57f3b-a333-440f-b1b2-34fc7ae37ac0",
+ "id": "bundle--ce8d1184-bec7-4867-970e-43b6fb7426f5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5",
"created": "2023-09-29T18:07:41.540Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:07:41.540Z",
+ "modified": "2025-04-16T23:01:51.006Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3439d550-61d5-40b4-a514-341509d3f701.json b/ics-attack/relationship/relationship--3439d550-61d5-40b4-a514-341509d3f701.json
index 4385f8ade5..afcdfa5bc2 100644
--- a/ics-attack/relationship/relationship--3439d550-61d5-40b4-a514-341509d3f701.json
+++ b/ics-attack/relationship/relationship--3439d550-61d5-40b4-a514-341509d3f701.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8c19a1cd-93e2-4338-91c5-fe927727034f",
+ "id": "bundle--3c0876d1-986e-491a-8843-16711ae108d2",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:08:28.052Z",
+ "modified": "2025-04-16T23:01:51.215Z",
"description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
"target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3471632d-253d-469e-9e8c-3b291b4ae88a.json b/ics-attack/relationship/relationship--3471632d-253d-469e-9e8c-3b291b4ae88a.json
index 15c30c22fb..faedf7b7e2 100644
--- a/ics-attack/relationship/relationship--3471632d-253d-469e-9e8c-3b291b4ae88a.json
+++ b/ics-attack/relationship/relationship--3471632d-253d-469e-9e8c-3b291b4ae88a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--34db54ce-c09e-4201-91f8-51af76739bb3",
+ "id": "bundle--c4007d68-6330-4b27-b40f-d35ffa045b88",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3471632d-253d-469e-9e8c-3b291b4ae88a",
"created": "2023-09-28T21:14:15.274Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:14:15.274Z",
+ "modified": "2025-04-16T23:01:51.437Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json b/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json
index 936750ba39..40bc7b3fe0 100644
--- a/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json
+++ b/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--c76c0feb-10e2-43c7-a94d-05fe5b0a1499",
+ "id": "bundle--5da000df-aa34-4d3d-86d0-3b6a697bd9b2",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--3478c49c-594b-4224-b7f9-2b0b09c67288",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.239Z",
- "relationship_type": "mitigates",
- "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications. (Citation: Bastille April 2017)\n",
- "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a",
- "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Bastille April 2017",
@@ -23,9 +15,16 @@
"url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:51.636Z",
+ "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications. (Citation: Bastille April 2017)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a",
+ "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json b/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json
index dfe5f48b54..ac3ff66b4f 100644
--- a/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json
+++ b/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--d52c5b21-ee98-488a-be16-4768fdaf4abf",
+ "id": "bundle--e0fbc87c-8c00-44ef-8846-76e22c756a6f",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-04-13T11:15:26.506Z",
- "modified": "2022-05-06T17:47:24.156Z",
- "relationship_type": "mitigates",
- "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n",
- "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
- "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "IEC February 2019",
@@ -23,9 +15,16 @@
"url": "https://webstore.iec.ch/publication/34421"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:51.855Z",
+ "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
+ "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json b/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json
index f00eaf6054..dd4a6ccbc4 100644
--- a/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json
+++ b/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--186b4fdd-5a48-4b41-9464-f361c96c60fd",
+ "id": "bundle--c55d3bb5-5223-493f-9692-aa08665ae194",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.168Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:52.073Z",
"description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
"target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json b/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json
index 25ad20c952..c327fdcc5e 100644
--- a/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json
+++ b/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--44309e6b-ae8c-49b9-8d45-fb980a3f960d",
+ "id": "bundle--328d8ad7-ace7-4698-a530-b1af5e7a5226",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-29T20:49:30.525Z",
+ "modified": "2025-04-16T23:01:52.315Z",
"description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon. (Citation: DHS CISA February 2019)\n\n[Triton](https://attack.mitre.org/software/S1009) was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.(Citation: FireEye TRITON)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json b/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json
index 06a7f3735e..41883dc04c 100644
--- a/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json
+++ b/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--322a6deb-d97e-48bc-bc57-5942edf12ab6",
+ "id": "bundle--938fa681-1420-4233-8618-8b60f2df493e",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:24:36.935Z",
+ "modified": "2025-04-16T23:01:52.519Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. (Citation: DHS CISA February 2019)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3526acc8-8834-4aaa-87a5-51e587360cf5.json b/ics-attack/relationship/relationship--3526acc8-8834-4aaa-87a5-51e587360cf5.json
index ca1b30c246..7ddf1048a4 100644
--- a/ics-attack/relationship/relationship--3526acc8-8834-4aaa-87a5-51e587360cf5.json
+++ b/ics-attack/relationship/relationship--3526acc8-8834-4aaa-87a5-51e587360cf5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9372473e-036c-40ae-9e6d-72e892ef8da1",
+ "id": "bundle--9d0d7f28-b76e-4b0b-aedf-6470d3fb258f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3526acc8-8834-4aaa-87a5-51e587360cf5",
"created": "2023-09-29T18:45:47.394Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:45:47.394Z",
+ "modified": "2025-04-16T23:01:52.764Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--352ed52c-88ba-4731-a917-4c33da0f29d4.json b/ics-attack/relationship/relationship--352ed52c-88ba-4731-a917-4c33da0f29d4.json
index 023f874d1b..2051f68c81 100644
--- a/ics-attack/relationship/relationship--352ed52c-88ba-4731-a917-4c33da0f29d4.json
+++ b/ics-attack/relationship/relationship--352ed52c-88ba-4731-a917-4c33da0f29d4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d29d338b-f0ac-460f-9e16-0abf740166d6",
+ "id": "bundle--7d4d34d5-ad2e-4ebe-8781-602b04a86a35",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-27T15:19:15.124Z",
+ "modified": "2025-04-16T23:01:52.991Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used an IT helpdesk software to move the mouse on ICS control devices to maliciously release electricity breakers. (Citation: Andy Greenberg June 2017)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json b/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json
index 45ed97d00c..1e82ce04bd 100644
--- a/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json
+++ b/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--670123f9-071f-4c6e-849d-678a44983cde",
+ "id": "bundle--6d9b4dc2-b99e-411f-b63c-b4e1d79e3963",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T16:43:32.737Z",
+ "modified": "2025-04-16T23:01:53.210Z",
"description": "Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json b/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json
index 842bcd083c..5c454fea7f 100644
--- a/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json
+++ b/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cee130e1-36f5-4822-93a5-0c1d1f1df837",
+ "id": "bundle--ff50b82d-58a9-4c3e-895d-9d98b72cbde4",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T16:31:19.923Z",
+ "modified": "2025-04-16T23:01:53.429Z",
"description": "[OilRig](https://attack.mitre.org/groups/G0049) used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. (Citation: Robert Falcone, Bryan Lee May 2016)",
"relationship_type": "uses",
"source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json b/ics-attack/relationship/relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json
index d1c0f8f179..2b9359966b 100644
--- a/ics-attack/relationship/relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json
+++ b/ics-attack/relationship/relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4902e285-8fea-490e-bef8-0ac4e135c218",
+ "id": "bundle--92dacb8e-c158-43cf-bc68-c40c1e081e06",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T15:55:14.211Z",
- "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads. For added context on adversary procedures and background see [User Execution](https://attack.mitre.org/techniques/T1204) and applicable sub-techniques.",
+ "modified": "2025-04-16T23:01:53.631Z",
+ "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information Mitigation](https://attack.mitre.org/mitigations/T1140) in payloads. For added context on adversary procedures and background see [User Execution Mitigation](https://attack.mitre.org/mitigations/T1204) and applicable sub-techniques.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json b/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json
index 7629b3385d..b02b6369ff 100644
--- a/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json
+++ b/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--903c872a-136e-4a9d-bd30-014877ac8af4",
+ "id": "bundle--8037ae60-955c-406c-9018-8fb6423d2c00",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--366a4cd1-aa95-4985-9d80-b45a2551e298",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--366a4cd1-aa95-4985-9d80-b45a2551e298",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.179Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:01:53.861Z",
"description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d.json b/ics-attack/relationship/relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d.json
index f023fd6208..70c753f274 100644
--- a/ics-attack/relationship/relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d.json
+++ b/ics-attack/relationship/relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--25972fb1-580d-43d5-8088-14b367697074",
+ "id": "bundle--0b238d0e-4281-4831-99c4-1cb78d672d36",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d",
"created": "2023-09-28T20:29:27.153Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:29:27.153Z",
+ "modified": "2025-04-16T23:01:54.072Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--37048032-b41d-47d8-9c73-7b706bef24d1.json b/ics-attack/relationship/relationship--37048032-b41d-47d8-9c73-7b706bef24d1.json
index 3ffc342166..b54a8689de 100644
--- a/ics-attack/relationship/relationship--37048032-b41d-47d8-9c73-7b706bef24d1.json
+++ b/ics-attack/relationship/relationship--37048032-b41d-47d8-9c73-7b706bef24d1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--620a636d-4f43-463e-bb1d-d09c0106596c",
+ "id": "bundle--8dfeeaf6-cbeb-497b-810f-4718d0b1f046",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--37048032-b41d-47d8-9c73-7b706bef24d1",
"created": "2023-09-28T20:27:58.625Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:27:58.625Z",
+ "modified": "2025-04-16T23:01:54.320Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json b/ics-attack/relationship/relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json
index e8b80bb844..4b4bd5f18b 100644
--- a/ics-attack/relationship/relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json
+++ b/ics-attack/relationship/relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1d39602e-63a0-4aa0-a6b9-e1d160ac450f",
+ "id": "bundle--aeb657e9-910c-42f7-bd15-8f383ee3d8c2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be",
"created": "2023-09-28T21:13:36.185Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:13:36.185Z",
+ "modified": "2025-04-16T23:01:54.521Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3731962f-64e7-4750-ac8b-40b97eef8725.json b/ics-attack/relationship/relationship--3731962f-64e7-4750-ac8b-40b97eef8725.json
index 2914f57a6a..954cc8f605 100644
--- a/ics-attack/relationship/relationship--3731962f-64e7-4750-ac8b-40b97eef8725.json
+++ b/ics-attack/relationship/relationship--3731962f-64e7-4750-ac8b-40b97eef8725.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6e7e675f-1cc1-4eed-8c6e-32834520c0a4",
+ "id": "bundle--9930aba5-450b-45cf-970c-97d2dde88566",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3731962f-64e7-4750-ac8b-40b97eef8725",
"created": "2023-09-29T16:41:15.943Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:41:15.943Z",
+ "modified": "2025-04-16T23:01:54.729Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--374837a0-6109-4c95-bee6-893b25ac71cf.json b/ics-attack/relationship/relationship--374837a0-6109-4c95-bee6-893b25ac71cf.json
index 7dcd4d6d77..d217d13b25 100644
--- a/ics-attack/relationship/relationship--374837a0-6109-4c95-bee6-893b25ac71cf.json
+++ b/ics-attack/relationship/relationship--374837a0-6109-4c95-bee6-893b25ac71cf.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6d817ff3-0f71-4669-a074-8231771c0efc",
+ "id": "bundle--de794a30-531e-4a97-ae05-a78e2247d0ab",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--374837a0-6109-4c95-bee6-893b25ac71cf",
"created": "2023-09-28T21:13:12.715Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:13:12.715Z",
+ "modified": "2025-04-16T23:01:54.931Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json b/ics-attack/relationship/relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json
index 6d3c337d18..cc8c224501 100644
--- a/ics-attack/relationship/relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json
+++ b/ics-attack/relationship/relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c5a4bbaa-af44-4e25-82f9-17997e6f550a",
+ "id": "bundle--22d733bf-fb5b-480d-aa39-a52e468e2db0",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:43:54.996Z",
+ "modified": "2025-04-16T23:01:55.124Z",
"description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--37abb3d5-24fc-4397-844e-07548d324729.json b/ics-attack/relationship/relationship--37abb3d5-24fc-4397-844e-07548d324729.json
index eeab55f576..23dd171b3d 100644
--- a/ics-attack/relationship/relationship--37abb3d5-24fc-4397-844e-07548d324729.json
+++ b/ics-attack/relationship/relationship--37abb3d5-24fc-4397-844e-07548d324729.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f340e90e-4676-4940-b79e-e48cbd96894d",
+ "id": "bundle--8bac5951-4ca7-464d-867b-6917cdc3cf2f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:32:20.552Z",
+ "modified": "2025-04-16T23:01:55.366Z",
"description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2.json b/ics-attack/relationship/relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2.json
index 54d969e908..8ff20b1377 100644
--- a/ics-attack/relationship/relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2.json
+++ b/ics-attack/relationship/relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e3097617-0b5e-438c-ae89-019927af75ef",
+ "id": "bundle--e2b6f046-2f97-432c-ac80-a5849413a08b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2",
"created": "2023-09-29T16:31:46.749Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:31:46.749Z",
+ "modified": "2025-04-16T23:01:55.587Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json b/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json
index 18d452a27a..185434c8c8 100644
--- a/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json
+++ b/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dc098850-6105-4942-89cc-4d6576f0d30b",
+ "id": "bundle--c1edf662-5638-4666-927b-34101fd8ad1e",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:20:20.608Z",
+ "modified": "2025-04-16T23:01:55.836Z",
"description": "An enterprise resource planning (ERP) manufacturing server was lost to the [Ryuk](https://attack.mitre.org/software/S0446) attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open. (Citation: Kelly Jackson Higgins)",
"relationship_type": "uses",
"source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
"target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3843dcca-62a2-4224-9241-05f981fa880a.json b/ics-attack/relationship/relationship--3843dcca-62a2-4224-9241-05f981fa880a.json
index bc2efeffba..f97da68267 100644
--- a/ics-attack/relationship/relationship--3843dcca-62a2-4224-9241-05f981fa880a.json
+++ b/ics-attack/relationship/relationship--3843dcca-62a2-4224-9241-05f981fa880a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--25b82829-563d-4c02-96d4-603b14695f1e",
+ "id": "bundle--c32fb7f2-b9ec-4412-a68f-8cc92785a1b9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3843dcca-62a2-4224-9241-05f981fa880a",
"created": "2023-09-28T19:46:23.921Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:46:23.921Z",
+ "modified": "2025-04-16T23:01:56.034Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f.json b/ics-attack/relationship/relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f.json
index 2d81de8e2b..cebf7c9488 100644
--- a/ics-attack/relationship/relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f.json
+++ b/ics-attack/relationship/relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c5f29eea-c5c6-45ea-a158-836d70363f7f",
+ "id": "bundle--5f8f91eb-e3a2-4d0d-9797-c54d046a3a87",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:32:41.938Z",
+ "modified": "2025-04-16T23:01:56.265Z",
"description": "Monitor for newly constructed files copied to or from removable media.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
"target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--38bda770-c470-4358-a9ad-a5b39bec026b.json b/ics-attack/relationship/relationship--38bda770-c470-4358-a9ad-a5b39bec026b.json
index 3efb4d91fa..f569c473e0 100644
--- a/ics-attack/relationship/relationship--38bda770-c470-4358-a9ad-a5b39bec026b.json
+++ b/ics-attack/relationship/relationship--38bda770-c470-4358-a9ad-a5b39bec026b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--846f3e65-4e21-4f78-931d-dc025ced93dc",
+ "id": "bundle--75c154a6-04b8-4651-b644-4a4c90545858",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--38bda770-c470-4358-a9ad-a5b39bec026b",
"created": "2023-09-29T16:28:28.550Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:28:28.550Z",
+ "modified": "2025-04-16T23:01:56.485Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--39452123-574f-4f3a-95ec-a90170a3d7eb.json b/ics-attack/relationship/relationship--39452123-574f-4f3a-95ec-a90170a3d7eb.json
index 923bca282f..26934e057e 100644
--- a/ics-attack/relationship/relationship--39452123-574f-4f3a-95ec-a90170a3d7eb.json
+++ b/ics-attack/relationship/relationship--39452123-574f-4f3a-95ec-a90170a3d7eb.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--71c70de8-c291-4d7c-aa79-7a0cf9b961af",
+ "id": "bundle--3b0f60c6-d5e0-4aab-9832-4dd62025b428",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--39452123-574f-4f3a-95ec-a90170a3d7eb",
"created": "2023-10-02T20:20:44.850Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:20:44.850Z",
+ "modified": "2025-04-16T23:01:56.704Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--399126a9-815d-4c3b-9d5e-f57d698ac742.json b/ics-attack/relationship/relationship--399126a9-815d-4c3b-9d5e-f57d698ac742.json
index 4efc10b562..f53fd09408 100644
--- a/ics-attack/relationship/relationship--399126a9-815d-4c3b-9d5e-f57d698ac742.json
+++ b/ics-attack/relationship/relationship--399126a9-815d-4c3b-9d5e-f57d698ac742.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a2c1a612-4469-4e5f-8424-2c98e8728901",
+ "id": "bundle--e23f57fa-bb00-47a2-b3c9-f7a6b7005429",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--399126a9-815d-4c3b-9d5e-f57d698ac742",
"created": "2023-09-28T19:40:36.023Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:40:36.023Z",
+ "modified": "2025-04-16T23:01:56.917Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--39963a04-9675-4fa4-87ea-1b34145cc569.json b/ics-attack/relationship/relationship--39963a04-9675-4fa4-87ea-1b34145cc569.json
index c692135e9b..693debf9c5 100644
--- a/ics-attack/relationship/relationship--39963a04-9675-4fa4-87ea-1b34145cc569.json
+++ b/ics-attack/relationship/relationship--39963a04-9675-4fa4-87ea-1b34145cc569.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8035b078-b097-4cdc-8fda-80b8b2325777",
+ "id": "bundle--677e34aa-398a-4121-9d87-2acee5c71c5d",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Elastic - Koadiac Detection with EQL",
- "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.",
- "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
+ "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.",
+ "url": "https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:51:44.656Z",
+ "modified": "2025-04-16T23:01:57.122Z",
"description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--39e5a489-f557-4130-a285-e0a82f40685c.json b/ics-attack/relationship/relationship--39e5a489-f557-4130-a285-e0a82f40685c.json
index 64c3935d9d..888f112d21 100644
--- a/ics-attack/relationship/relationship--39e5a489-f557-4130-a285-e0a82f40685c.json
+++ b/ics-attack/relationship/relationship--39e5a489-f557-4130-a285-e0a82f40685c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4641a6a5-2f0a-438d-b3ba-a8d3f806953b",
+ "id": "bundle--fd08a9fd-07a8-4746-bff3-5c52bdec5086",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--39e5a489-f557-4130-a285-e0a82f40685c",
"created": "2023-09-28T19:46:38.112Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:46:38.112Z",
+ "modified": "2025-04-16T23:01:57.345Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584.json b/ics-attack/relationship/relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584.json
index bee6dddf72..8aa26e0e2e 100644
--- a/ics-attack/relationship/relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584.json
+++ b/ics-attack/relationship/relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--27884f27-3ff7-4b24-bb3a-e2a82f26b8ab",
+ "id": "bundle--45062a60-74b6-478b-99e1-6e2b69961b1a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584",
"created": "2023-09-28T19:40:21.763Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:40:21.763Z",
+ "modified": "2025-04-16T23:01:57.561Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3a04717f-b74c-4096-b031-ee7115fdc3c9.json b/ics-attack/relationship/relationship--3a04717f-b74c-4096-b031-ee7115fdc3c9.json
index 8ecdeb13ca..5f36709501 100644
--- a/ics-attack/relationship/relationship--3a04717f-b74c-4096-b031-ee7115fdc3c9.json
+++ b/ics-attack/relationship/relationship--3a04717f-b74c-4096-b031-ee7115fdc3c9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4fe62a57-8a4f-4b0c-965f-fc26d9c1cccd",
+ "id": "bundle--60d1efb4-c955-4e72-ac8a-7d290761eb97",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-10T15:00:39.020Z",
+ "modified": "2025-04-16T23:01:57.833Z",
"description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088)\u2019 tool took one option from the command line, which was a single IP address of the target Triconex device.(Citation: FireEye TRITON Dec 2017)",
"relationship_type": "uses",
"source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
"target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974.json b/ics-attack/relationship/relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974.json
index 354be50906..11c258d46e 100644
--- a/ics-attack/relationship/relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974.json
+++ b/ics-attack/relationship/relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8a992790-b229-4273-a4c3-6715f3b000a1",
+ "id": "bundle--2e416b0e-9a47-43b7-9142-02636f70e8cb",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974",
"created": "2023-09-29T18:56:47.109Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:56:47.110Z",
+ "modified": "2025-04-16T23:01:58.066Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json b/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json
index 83eefa7315..b5ac3d3fd2 100644
--- a/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json
+++ b/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4b059dce-b871-4264-806f-aa7a02302fbd",
+ "id": "bundle--9ac5d5a9-52e1-4631-8873-1a4abea3375a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:23:59.758Z",
+ "modified": "2025-04-16T23:01:58.273Z",
"description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca.json b/ics-attack/relationship/relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca.json
index 83b63b3528..10b7fe2014 100644
--- a/ics-attack/relationship/relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca.json
+++ b/ics-attack/relationship/relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4aa646ae-de8e-4528-83b9-bdd4b39f3976",
+ "id": "bundle--ea2611c3-c7f1-4b63-b09c-28f1fde27d77",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca",
"created": "2023-09-28T19:44:37.687Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:44:37.687Z",
+ "modified": "2025-04-16T23:01:58.486Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json b/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json
index e07bfeaebb..7bc9b472f8 100644
--- a/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json
+++ b/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ca93e4ca-1b75-486e-8e02-5a295ec64516",
+ "id": "bundle--24523761-73d4-415b-83c8-77eec48b58b1",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:36:37.304Z",
+ "modified": "2025-04-16T23:01:58.707Z",
"description": "[BlackEnergy](https://attack.mitre.org/software/S0089) uses HTTP POST request to contact external command and control servers. (Citation: Booz Allen Hamilton)\n",
"relationship_type": "uses",
"source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea.json b/ics-attack/relationship/relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea.json
index afde4a88e8..7d0835ab74 100644
--- a/ics-attack/relationship/relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea.json
+++ b/ics-attack/relationship/relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5fabdf96-8853-481b-8971-6a6d64a7a13d",
+ "id": "bundle--b03fd572-0d32-49d7-946d-ec840ec0c70e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea",
"created": "2023-09-28T21:15:18.036Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:15:18.036Z",
+ "modified": "2025-04-16T23:01:58.913Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json b/ics-attack/relationship/relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json
index d725d1bc2e..31132f9f93 100644
--- a/ics-attack/relationship/relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json
+++ b/ics-attack/relationship/relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--069be8a3-9b43-4d7c-9bc3-fa40c66e6d5c",
+ "id": "bundle--72de4544-5ab6-4344-a959-6fd4d5c0c35f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:11:14.662Z",
+ "modified": "2025-04-16T23:01:59.151Z",
"description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
"target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json b/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json
index 503f7703ca..435830b896 100644
--- a/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json
+++ b/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--8916a356-df30-4ade-8137-34d85fd02b36",
+ "id": "bundle--2ea75d6e-f3f4-4130-99fd-06ddd609621c",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.237Z",
- "relationship_type": "mitigates",
- "description": "Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. (Citation: CISA March 2010) Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.\n",
- "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
- "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "CISA March 2010",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/ncas/tips/ST05-003"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:01:59.380Z",
+ "description": "Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. (Citation: CISA March 2010) Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
+ "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35.json b/ics-attack/relationship/relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35.json
index 8786b871a5..f92cdcc758 100644
--- a/ics-attack/relationship/relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35.json
+++ b/ics-attack/relationship/relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--37f9cefa-50e6-4312-9bb1-8b4eb614e5d9",
+ "id": "bundle--7eb6adfb-c057-45df-b890-f9a97934d94f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35",
"created": "2023-09-28T19:43:15.817Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:43:15.817Z",
+ "modified": "2025-04-16T23:01:59.605Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json b/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json
index b7e2b3ab66..6d4941d43b 100644
--- a/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json
+++ b/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d1c49e86-1a78-4e53-9c78-94caf4a4dfdd",
+ "id": "bundle--0edccd25-154a-4e56-8b47-0e01c851542a",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T13:18:50.929Z",
+ "modified": "2025-04-16T23:01:59.868Z",
"description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9",
"target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688.json b/ics-attack/relationship/relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688.json
index 7419636ebc..d4f384a4e9 100644
--- a/ics-attack/relationship/relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688.json
+++ b/ics-attack/relationship/relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9760f0da-283b-4039-828b-4651fec9ad82",
+ "id": "bundle--42322f7e-a722-48d2-bf98-7949e770bf73",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688",
"created": "2023-09-28T19:53:33.603Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:53:33.603Z",
+ "modified": "2025-04-16T23:02:00.098Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2.json b/ics-attack/relationship/relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2.json
index 8f82f24e22..2bf8b80ebe 100644
--- a/ics-attack/relationship/relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2.json
+++ b/ics-attack/relationship/relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ce18c20b-42d3-46dd-ac84-a4528c27d56d",
+ "id": "bundle--0dbdd539-46c7-43fe-aa34-a2f2b06d9d3a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2",
"created": "2023-10-02T20:22:15.907Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:22:15.908Z",
+ "modified": "2025-04-16T23:02:00.330Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json b/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json
index 5d887e40c1..6a0a9a601f 100644
--- a/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json
+++ b/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--89442258-6c8b-4b20-91a8-e868505b158f",
+ "id": "bundle--da7dabe3-3f62-4f60-9061-b9b326818a74",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:52:05.598Z",
+ "modified": "2025-04-16T23:02:00.566Z",
"description": "The name of the [Industroyer](https://attack.mitre.org/software/S0604) payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors execute a shell command commands. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json b/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json
index 31062cd8af..22b5a0920d 100644
--- a/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json
+++ b/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--f60f5ff0-9bed-4b64-b44c-ffd5e2b4a6d1",
+ "id": "bundle--9375991f-89a7-45cd-8b64-64c12f46fa4b",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.216Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:00.821Z",
"description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json b/ics-attack/relationship/relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json
index 909145288f..a1138e2e06 100644
--- a/ics-attack/relationship/relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json
+++ b/ics-attack/relationship/relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3c168dc3-c109-41ca-ba09-3040c39c32c4",
+ "id": "bundle--0819815b-57ab-4d9b-b97a-c3107f1d54d2",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:57:59.240Z",
+ "modified": "2025-04-16T23:02:01.072Z",
"description": "Monitor for known proxy protocols (e.g., SOCKS, Tor, peer-to-peer protocols) and tool usage (e.g., Squid, peer-to-peer software) on the network that are not part of normal operations. Also monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3c341d13-938e-4535-ac75-10a79abc7017.json b/ics-attack/relationship/relationship--3c341d13-938e-4535-ac75-10a79abc7017.json
index 613f647e24..fa133d47bd 100644
--- a/ics-attack/relationship/relationship--3c341d13-938e-4535-ac75-10a79abc7017.json
+++ b/ics-attack/relationship/relationship--3c341d13-938e-4535-ac75-10a79abc7017.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b6b1caa7-cf2a-402f-a8ef-df4f63ca55cb",
+ "id": "bundle--09bad542-e2bb-476c-b839-1dd575517c0a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:46:17.575Z",
+ "modified": "2025-04-16T23:02:01.281Z",
"description": "Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json b/ics-attack/relationship/relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json
index 062eafd2d6..d7d5fcb77a 100644
--- a/ics-attack/relationship/relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json
+++ b/ics-attack/relationship/relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0a69e909-44ae-448c-92c6-3c93a58af8a8",
+ "id": "bundle--f21c3cc4-e6c8-4011-8bc3-a92dea6a1941",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:11:30.678Z",
+ "modified": "2025-04-16T23:02:01.494Z",
"description": "Monitor operational process data for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
"target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json b/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json
index 39299cfd42..26ed0686c0 100644
--- a/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json
+++ b/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d06d5aa4-f413-4f6b-9824-d5098b0bfbc1",
+ "id": "bundle--39506e5c-c480-4a25-938c-8247b5019ab5",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:12:08.899Z",
+ "modified": "2025-04-16T23:02:01.720Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) calls system function blocks which are part of the operating system running on the PLC. Theyre used to execute system tasks, such as reading the system clock (SFC1) and generating data blocks on the fly. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json b/ics-attack/relationship/relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json
index 37b715c25b..edf3cfdfe3 100644
--- a/ics-attack/relationship/relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json
+++ b/ics-attack/relationship/relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e8326629-fd7c-4192-89fe-d1d3cc0cb0d2",
+ "id": "bundle--552d5a3b-0b8c-45d3-ade2-048fb950b04f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T18:41:15.273Z",
+ "modified": "2025-04-16T23:02:01.924Z",
"description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a.json b/ics-attack/relationship/relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a.json
index a4e74fb1c8..138ed83ae9 100644
--- a/ics-attack/relationship/relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a.json
+++ b/ics-attack/relationship/relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a0a15d38-a3b0-4c15-95fe-ca369457db95",
+ "id": "bundle--c8d1a16e-a7cd-4562-ab3c-2c6425d8cbf4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a",
"created": "2023-09-28T21:26:11.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:26:11.506Z",
+ "modified": "2025-04-16T23:02:02.154Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json b/ics-attack/relationship/relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json
index dcb87f4eb9..5a55df9a67 100644
--- a/ics-attack/relationship/relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json
+++ b/ics-attack/relationship/relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eb8ca0c3-a62d-48f4-b7b4-c2c18e731a27",
+ "id": "bundle--aca0d361-959c-4322-96b7-d0fae40b4187",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T19:19:04.853Z",
+ "modified": "2025-04-16T23:02:02.385Z",
"description": "Monitor logon activity for unexpected or unusual access to devices from the Internet.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b",
"target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json b/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json
index ded2bcbf59..14876f5ad4 100644
--- a/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json
+++ b/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--0c3908f7-d603-49cf-b15d-883e3e3b04b8",
+ "id": "bundle--d934618c-411b-4fbf-ae2c-a685dfa429bd",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--3d676c1b-2650-4599-8a57-790c55f9977d",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--3d676c1b-2650-4599-8a57-790c55f9977d",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.109Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:02.598Z",
"description": "Minimize the exposure of API calls that allow the execution of code.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30",
"target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json b/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json
index 1534b6461b..1e787cd12f 100644
--- a/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json
+++ b/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--5f364240-f963-41c3-ad38-a88dcfdcf2d0",
+ "id": "bundle--d86c413e-2fab-4de3-8b85-c0f9106636ae",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--3da977ab-c863-4e6f-a5b7-68173160da00",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--3da977ab-c863-4e6f-a5b7-68173160da00",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.166Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:02.818Z",
"description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3db8d8d2-89bb-4241-afeb-9b9332aac78e.json b/ics-attack/relationship/relationship--3db8d8d2-89bb-4241-afeb-9b9332aac78e.json
index 2583645693..7d063e64ce 100644
--- a/ics-attack/relationship/relationship--3db8d8d2-89bb-4241-afeb-9b9332aac78e.json
+++ b/ics-attack/relationship/relationship--3db8d8d2-89bb-4241-afeb-9b9332aac78e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1e1abdf9-a832-43d5-a5f9-90a8c911a1dc",
+ "id": "bundle--ae992f3a-88e8-4905-8bfc-bcd51d44f45d",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-10T15:00:51.312Z",
+ "modified": "2025-04-16T23:02:03.041Z",
"description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) used a publicly available PowerShell-based tool, WMImplant.(Citation: FireEye TEMP.Veles 2018)",
"relationship_type": "uses",
"source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d.json b/ics-attack/relationship/relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d.json
index 6c5159eac8..1ac7777d44 100644
--- a/ics-attack/relationship/relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d.json
+++ b/ics-attack/relationship/relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--527bfa99-8ee6-4582-86ba-21cd8c4217fa",
+ "id": "bundle--75653677-2e65-482b-afa2-b1e84e7ddf2c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d",
"created": "2022-09-30T15:28:37.614Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-30T15:28:37.614Z",
+ "modified": "2025-04-16T23:02:03.266Z",
"description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5.json b/ics-attack/relationship/relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5.json
index 2297043dd1..41f7e9666e 100644
--- a/ics-attack/relationship/relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5.json
+++ b/ics-attack/relationship/relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d68baf0d-69b7-44ac-8af3-6bd5bdf01506",
+ "id": "bundle--67f3cbf3-c97a-4037-b290-0d43aee06965",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5",
"created": "2023-09-29T17:05:08.346Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:05:08.346Z",
+ "modified": "2025-04-16T23:02:03.473Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1.json b/ics-attack/relationship/relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1.json
index cc805a292a..c0db7833d4 100644
--- a/ics-attack/relationship/relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1.json
+++ b/ics-attack/relationship/relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--79285260-3dc6-4d4a-84af-fa11cfaadab7",
+ "id": "bundle--854cbf5a-fcb8-4003-a431-72f491f69d15",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1",
"created": "2023-09-29T16:44:16.391Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:44:16.391Z",
+ "modified": "2025-04-16T23:02:03.720Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json b/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json
index 52c7885f72..b734548785 100644
--- a/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json
+++ b/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--a3ff5bf0-d087-4ad0-b534-4d822eeeb47a",
+ "id": "bundle--f0002bb8-655b-4a0f-8117-32146c798c6b",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.214Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:03.943Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41.json b/ics-attack/relationship/relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41.json
index 8323e58a7a..a37b464473 100644
--- a/ics-attack/relationship/relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41.json
+++ b/ics-attack/relationship/relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--18ba134e-6cce-4177-bc9e-f526f57bc843",
+ "id": "bundle--a65c1355-a037-4d1b-aac0-40c33c2d48ab",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:15:05.195Z",
+ "modified": "2025-04-16T23:02:04.166Z",
"description": "Monitor DLL file events, specifically creation of these files as well as the loading of DLLs into processes specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json b/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json
index 040cfdbfb6..071ff2a22f 100644
--- a/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json
+++ b/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--c313532f-2a67-4630-ab3e-2cac94934890",
+ "id": "bundle--66f7a2c8-e02a-4ad3-b31d-fa39d14025d8",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--3ed98d8c-de30-499e-9a62-eae0207519f4",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--3ed98d8c-de30-499e-9a62-eae0207519f4",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.092Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:04.386Z",
"description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9.json b/ics-attack/relationship/relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9.json
index 3156420d50..224088f942 100644
--- a/ics-attack/relationship/relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9.json
+++ b/ics-attack/relationship/relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a48521e7-99be-4859-a44f-af481f159e2e",
+ "id": "bundle--34dd4a50-ad7b-496f-97be-c9c150df2304",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9",
"created": "2023-09-29T17:39:42.457Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:39:42.457Z",
+ "modified": "2025-04-16T23:02:04.618Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3f261739-b6ec-4a86-94a3-146929f9facf.json b/ics-attack/relationship/relationship--3f261739-b6ec-4a86-94a3-146929f9facf.json
new file mode 100644
index 0000000000..3747de2666
--- /dev/null
+++ b/ics-attack/relationship/relationship--3f261739-b6ec-4a86-94a3-146929f9facf.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--83a9f38c-a2d9-41ec-9aee-1ed4d2767c14",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--3f261739-b6ec-4a86-94a3-146929f9facf",
+ "created": "2024-11-20T23:28:20.295Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Dragos FROSTYGOOP 2024",
+ "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
+ "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:04.869Z",
+ "description": "In [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041), the adversary caused the victim controllers to report incorrect measurements by modifying parameters.(Citation: Dragos FROSTYGOOP 2024)",
+ "relationship_type": "uses",
+ "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f",
+ "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json b/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json
index 40f21bd412..a34a74a464 100644
--- a/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json
+++ b/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--b933fbcf-dd8f-426e-894f-a9d338c02670",
+ "id": "bundle--aa1d5699-13f5-4a48-b4ab-44256654897f",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.236Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:05.085Z",
"description": "Ensure wireless networks require the authentication of all devices, and that all wireless devices also authenticate network infrastructure devices (i.e., mutual authentication). For defense-in-depth purposes, utilize VPNs or ensure that application-layer protocols also authenticate the system or device. Use protocols that provide strong authentication (e.g., IEEE 802.1X), and enforce basic protections, such as MAC filtering, when stronger cryptographic techniques are not available.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json b/ics-attack/relationship/relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json
index faa41f9f29..619fe133a1 100644
--- a/ics-attack/relationship/relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json
+++ b/ics-attack/relationship/relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--32950a1b-77c6-4764-8a55-d703a0fc41ea",
+ "id": "bundle--d63d3754-d6af-4a49-af71-8b80570ea8b7",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:40:51.224Z",
+ "modified": "2025-04-16T23:02:05.320Z",
"description": "Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json b/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json
index 04e93f4a0e..2afc9cb3a5 100644
--- a/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json
+++ b/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json
@@ -1,33 +1,32 @@
{
"type": "bundle",
- "id": "bundle--efa36ec9-a738-49c0-b3b9-37c3b18a3cbe",
+ "id": "bundle--e7d9b0c3-9607-496a-af1d-8fce2f296560",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572",
"created": "2018-04-18T17:59:24.739Z",
- "x_mitre_version": "1.0",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"external_references": [
{
"source_name": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015",
- "url": "https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf",
- "description": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01 "
+ "description": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01 ",
+ "url": "https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf"
}
],
- "x_mitre_deprecated": false,
- "revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:05.537Z",
"description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. (Citation: Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015)",
- "modified": "2022-08-11T13:23:12.321Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"relationship_type": "uses",
"source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974",
"target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json b/ics-attack/relationship/relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json
index 7023f52548..24760dfb84 100644
--- a/ics-attack/relationship/relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json
+++ b/ics-attack/relationship/relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--35b05ed7-bbc8-4762-907e-31729f3cb409",
+ "id": "bundle--11d6693e-39fe-4265-ad21-5e4bec7a27d2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe",
"created": "2023-09-28T21:17:18.201Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:17:18.201Z",
+ "modified": "2025-04-16T23:02:05.764Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3fb86696-1d56-42d5-a73d-044a78b588fe.json b/ics-attack/relationship/relationship--3fb86696-1d56-42d5-a73d-044a78b588fe.json
index dbe7ee92d2..b844084bfc 100644
--- a/ics-attack/relationship/relationship--3fb86696-1d56-42d5-a73d-044a78b588fe.json
+++ b/ics-attack/relationship/relationship--3fb86696-1d56-42d5-a73d-044a78b588fe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ca90737f-71f5-40fc-bc90-392ab6dc08ec",
+ "id": "bundle--dd20463f-19e9-4b8c-a61a-ca72a9a71fd5",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-27T15:19:28.937Z",
+ "modified": "2025-04-16T23:02:05.999Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult. (Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa.json b/ics-attack/relationship/relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa.json
index f87f65b5fa..d17087eb72 100644
--- a/ics-attack/relationship/relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa.json
+++ b/ics-attack/relationship/relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e82826ed-ebf1-4ac4-a07e-6f702c8c17b7",
+ "id": "bundle--a4036ae3-a88c-4618-bebf-f09701f86978",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa",
"created": "2023-09-28T20:27:43.727Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:27:43.727Z",
+ "modified": "2025-04-16T23:02:06.232Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json b/ics-attack/relationship/relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json
index 637915b55b..b1b8581eb5 100644
--- a/ics-attack/relationship/relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json
+++ b/ics-attack/relationship/relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--12af7edb-c68a-472f-a116-d79fb8b1d0d5",
+ "id": "bundle--df189864-929d-4076-bb8f-d77eb410b77a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542",
"created": "2023-09-29T18:57:32.665Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:57:32.665Z",
+ "modified": "2025-04-16T23:02:06.451Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json b/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json
index 5aa75cb0ec..0390a5588f 100644
--- a/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json
+++ b/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--76c716ae-5148-46c0-8d15-6371068cb8d5",
+ "id": "bundle--26628240-f663-49e4-bb14-5b26584c6126",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.435Z",
+ "modified": "2025-04-16T23:02:06.668Z",
"description": "The [INCONTROLLER](https://attack.mitre.org/software/S1045) PLCProxy module can add an IP route to the CODESYS gateway running on Schneider PLCs to allow it to route messages through the PLC to other devices on that network. This allows the malware to bypass firewall rules that prevent it from directly communicating with devices on the same network as the PLC.(Citation: Wylie-22)",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4.json b/ics-attack/relationship/relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4.json
index 554af41cb1..057cc8e8df 100644
--- a/ics-attack/relationship/relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4.json
+++ b/ics-attack/relationship/relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--eee3c54e-624a-4784-bbd7-4b5559a1a48a",
+ "id": "bundle--e37d2542-cfcf-4de9-a162-96942560ae9d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4",
"created": "2023-09-29T18:05:42.611Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:05:42.611Z",
+ "modified": "2025-04-16T23:02:06.892Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--40f63b01-dc59-475d-826a-74f38c6e81b9.json b/ics-attack/relationship/relationship--40f63b01-dc59-475d-826a-74f38c6e81b9.json
index 7454df4d24..f727dc70d8 100644
--- a/ics-attack/relationship/relationship--40f63b01-dc59-475d-826a-74f38c6e81b9.json
+++ b/ics-attack/relationship/relationship--40f63b01-dc59-475d-826a-74f38c6e81b9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--59528578-6fd7-4e82-98ef-9c0e0a5b072d",
+ "id": "bundle--8a7fae0e-9b1f-43a8-84c8-11da5aafebca",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T19:38:28.550Z",
+ "modified": "2025-04-16T23:02:07.118Z",
"description": "Host-based implementations of this technique may utilize networking-based system calls or network utility commands (e.g., iptables) to locally intercept traffic. Monitor for relevant process creation events.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db.json b/ics-attack/relationship/relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db.json
index f340df1e04..5e28ba9d58 100644
--- a/ics-attack/relationship/relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db.json
+++ b/ics-attack/relationship/relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--52bb5f03-8535-443b-a7f7-3c5717739083",
+ "id": "bundle--2fe2033a-26d5-4d20-bf76-585dd7c676ad",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db",
"created": "2023-09-29T17:04:46.290Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:04:46.290Z",
+ "modified": "2025-04-16T23:02:07.332Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--41a109dd-11d9-4840-a38b-088fc790f45a.json b/ics-attack/relationship/relationship--41a109dd-11d9-4840-a38b-088fc790f45a.json
index 5bfd3d300f..655df23869 100644
--- a/ics-attack/relationship/relationship--41a109dd-11d9-4840-a38b-088fc790f45a.json
+++ b/ics-attack/relationship/relationship--41a109dd-11d9-4840-a38b-088fc790f45a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c169c4f7-92d8-401f-8c2e-50eb5c510ae2",
+ "id": "bundle--67c5026c-1556-49c3-a7a1-60194c60123c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--41a109dd-11d9-4840-a38b-088fc790f45a",
"created": "2024-03-25T20:17:27.552Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-25T20:17:27.552Z",
+ "modified": "2025-04-16T23:02:07.563Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json b/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json
index af4ee86cc1..7d76426387 100644
--- a/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json
+++ b/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--25179a87-a057-4813-b1c4-0417a7e46422",
+ "id": "bundle--227acbe1-d8a5-491c-86be-041f4c233ebc",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.145Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:07.779Z",
"description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json b/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json
index 6f3858f794..a4244762a3 100644
--- a/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json
+++ b/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--50eca965-57d8-4018-a890-bf15f694594a",
+ "id": "bundle--e689c1fd-5d42-4983-aa9a-b707775984d7",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.160Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:07.977Z",
"description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d.json b/ics-attack/relationship/relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d.json
index 0dd786980d..0fff944d80 100644
--- a/ics-attack/relationship/relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d.json
+++ b/ics-attack/relationship/relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9a544777-d6e0-4717-87e5-97d56bfe47f7",
+ "id": "bundle--619b574b-05ae-49cf-8128-ce778ead4c42",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d",
"created": "2023-09-28T19:58:43.542Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:58:43.542Z",
+ "modified": "2025-04-16T23:02:08.191Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json b/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json
index 71caf14773..d4b04f1501 100644
--- a/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json
+++ b/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--93d05893-d240-477d-81a7-3a5aab00170e",
+ "id": "bundle--3f03e98c-ff9c-4280-a18a-00a885bfac4d",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34",
+ "created": "2021-04-12T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2021-04-12T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.187Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:08.414Z",
"description": "All communication sessions to remote services should be authenticated to prevent unauthorized access.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--423271c0-04dc-42d0-8e27-fb0b6067e096.json b/ics-attack/relationship/relationship--423271c0-04dc-42d0-8e27-fb0b6067e096.json
index 93e1346f34..12444cc096 100644
--- a/ics-attack/relationship/relationship--423271c0-04dc-42d0-8e27-fb0b6067e096.json
+++ b/ics-attack/relationship/relationship--423271c0-04dc-42d0-8e27-fb0b6067e096.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2d382f9e-dd09-4032-990b-d6fc13e669d3",
+ "id": "bundle--8b841e66-0585-42d0-a374-6c41da1e90d3",
"spec_version": "2.0",
"objects": [
{
@@ -12,7 +12,7 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
},
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.259Z",
+ "modified": "2025-04-16T23:02:08.611Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), power breakers were opened which caused the operating companies to be unable to deliver power, and left thousands of businesses and households without power for around 6 hours. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--42508a8e-44d5-4af1-9e66-bace5fc94734.json b/ics-attack/relationship/relationship--42508a8e-44d5-4af1-9e66-bace5fc94734.json
index a47fdf2bed..54899c4a13 100644
--- a/ics-attack/relationship/relationship--42508a8e-44d5-4af1-9e66-bace5fc94734.json
+++ b/ics-attack/relationship/relationship--42508a8e-44d5-4af1-9e66-bace5fc94734.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--bcaf9f6b-907e-4657-9a6b-d89931652de3",
+ "id": "bundle--7112bcee-3011-4f62-8c8c-26963c2a2758",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--42508a8e-44d5-4af1-9e66-bace5fc94734",
"created": "2022-09-27T18:49:25.089Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T18:49:25.089Z",
+ "modified": "2025-04-16T23:02:08.836Z",
"description": "Monitor for mismatches between protocols and their expected ports (e.g., non-HTTP traffic on tcp:80). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json b/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json
index 63e57de9ec..d75d7a928d 100644
--- a/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json
+++ b/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--367db767-934f-4621-8be6-b32ff8f2b188",
+ "id": "bundle--ea9b89c2-bfe5-4b84-8b04-866756c856bc",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.178Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:09.044Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json b/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json
index 92ab718270..ba70935cd5 100644
--- a/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json
+++ b/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--1b58dde1-c03f-4233-9b8c-9fdec1b72ba5",
+ "id": "bundle--04edd4ec-5ec6-45a9-a394-d01b0533dea7",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.185Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:09.269Z",
"description": "Ensure permissions restrict project file access to only engineer and technician user groups and accounts.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
"target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json b/ics-attack/relationship/relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json
index ec3b686365..c91ba1c828 100644
--- a/ics-attack/relationship/relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json
+++ b/ics-attack/relationship/relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--18d8a6f3-12ba-4f5f-adc6-899ebc3df194",
+ "id": "bundle--e89d63e7-01fa-4e68-bf7e-a528b2463b52",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b",
"created": "2023-09-28T19:58:54.450Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:58:54.450Z",
+ "modified": "2025-04-16T23:02:09.477Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--43344cd7-5004-4dac-8b62-8899105fa265.json b/ics-attack/relationship/relationship--43344cd7-5004-4dac-8b62-8899105fa265.json
index 6465f90c03..eca064ee49 100644
--- a/ics-attack/relationship/relationship--43344cd7-5004-4dac-8b62-8899105fa265.json
+++ b/ics-attack/relationship/relationship--43344cd7-5004-4dac-8b62-8899105fa265.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--69dfc4de-00ad-4444-b6ae-4da8dd191d19",
+ "id": "bundle--67c2a2e9-4905-49f0-a2f1-d362cbee07dc",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--43344cd7-5004-4dac-8b62-8899105fa265",
"created": "2023-09-29T18:47:20.334Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:47:20.334Z",
+ "modified": "2025-04-16T23:02:09.681Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json b/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json
index 48e033fee7..48725b6ab8 100644
--- a/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json
+++ b/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--21a4e8f8-c5ea-4fd9-89fe-738ded2a1519",
+ "id": "bundle--f3993de1-3865-4577-ab3b-2e974a4e7f93",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:16:26.262Z",
+ "modified": "2025-04-16T23:02:09.883Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604) attempts to connect with a hardcoded internal proxy on TCP 3128 [default Squid proxy]. If established, the backdoor attempts to reach an external C2 server via the internal proxy. (Citation: Dragos Inc. June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json b/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json
index 91f362897a..ef5e220194 100644
--- a/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json
+++ b/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--2c597ce6-456a-4d87-82b0-df045e26de1e",
+ "id": "bundle--251e597e-6429-49a7-8b07-071a0ebe3431",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--4369da69-bb09-4cc8-8600-081a450f50e0",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--4369da69-bb09-4cc8-8600-081a450f50e0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.120Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:10.095Z",
"description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7",
"target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b.json b/ics-attack/relationship/relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b.json
index 25aa710903..faca374dbf 100644
--- a/ics-attack/relationship/relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b.json
+++ b/ics-attack/relationship/relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3ab0da47-cd3b-4d5a-ba37-9dc382a9e065",
+ "id": "bundle--ccb85271-f2c4-421d-8a74-c11777d5574f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:24:52.417Z",
+ "modified": "2025-04-16T23:02:10.331Z",
"description": "Monitor device alarms for program downloads, although not all devices produce such alarms.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--43b11545-3b70-4284-a369-bed7a0de4fd0.json b/ics-attack/relationship/relationship--43b11545-3b70-4284-a369-bed7a0de4fd0.json
index 0b1247e9b1..1d98337944 100644
--- a/ics-attack/relationship/relationship--43b11545-3b70-4284-a369-bed7a0de4fd0.json
+++ b/ics-attack/relationship/relationship--43b11545-3b70-4284-a369-bed7a0de4fd0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f9255aca-0494-4d41-ae40-165e63f08939",
+ "id": "bundle--7fb843ba-73f0-4436-8078-91a8145c0b55",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-17T15:19:32.247Z",
+ "modified": "2025-04-16T23:02:10.528Z",
"description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilizes a Visual Basic script `lun.vbs` to execute `n.bat` which then executed the MicroSCADA `scilc.exe` command.(Citation: Mandiant-Sandworm-Ukraine-2022)",
"relationship_type": "uses",
"source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json b/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json
index a800ece998..c44d37f9a9 100644
--- a/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json
+++ b/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--65325803-fefa-45f7-b4b2-22cf6b390c78",
+ "id": "bundle--cb0a0c08-8791-4787-8ca3-86d6c683efb1",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--43bdf580-b98f-49cf-92d5-3dac50450c86",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--43bdf580-b98f-49cf-92d5-3dac50450c86",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.214Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:10.748Z",
"description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json b/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json
index 38ddd19436..66bb5c1604 100644
--- a/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json
+++ b/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--e71d416e-7e1e-4d5c-8078-1fd8e82aa3ac",
+ "id": "bundle--21b30f4d-45db-497d-aff1-c06f84dc207c",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de",
+ "created": "2021-04-13T12:36:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2021-04-13T12:36:26.506Z",
- "modified": "2022-05-06T17:47:24.166Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:10.968Z",
"description": "Minimize the exposure of API calls that allow the execution of code.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30",
"target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json b/ics-attack/relationship/relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json
index e546d6ad88..d903d87506 100644
--- a/ics-attack/relationship/relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json
+++ b/ics-attack/relationship/relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3ec3a91a-ad1c-4f07-9ca0-52e3dcd2e54d",
+ "id": "bundle--042fb629-10ff-47f1-b4a9-bcf1e88a2ea7",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b",
"created": "2022-09-27T19:06:12.301Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T19:06:12.302Z",
+ "modified": "2025-04-16T23:02:11.200Z",
"description": "A manipulated I/O image requires analyzing the application program running on the PLC for specific data block writes. Detecting this requires obtaining and analyzing a PLC\u2019s application program, either directly from the device or from asset management platforms.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d",
"target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json b/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json
index 1797563aae..d7f0dfb258 100644
--- a/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json
+++ b/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fdeca736-9f75-41f2-8bc9-4c60608e495c",
+ "id": "bundle--d33afdaa-a7e9-47ae-9730-0f0b53f8b76f",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-19T21:22:38.490Z",
+ "modified": "2025-04-16T23:02:11.416Z",
"description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a",
"target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4508bdef-9528-47ae-804c-bc59d1e694e7.json b/ics-attack/relationship/relationship--4508bdef-9528-47ae-804c-bc59d1e694e7.json
index daf3cf76ba..aca8964677 100644
--- a/ics-attack/relationship/relationship--4508bdef-9528-47ae-804c-bc59d1e694e7.json
+++ b/ics-attack/relationship/relationship--4508bdef-9528-47ae-804c-bc59d1e694e7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--43c73cc9-b5f7-4b70-ba94-67e476862125",
+ "id": "bundle--e04e9a8f-2b00-4605-93d5-31290a98aa50",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4508bdef-9528-47ae-804c-bc59d1e694e7",
"created": "2023-09-28T20:02:35.354Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:02:35.354Z",
+ "modified": "2025-04-16T23:02:11.638Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--456ff399-4925-45d4-aa84-d930eae5348e.json b/ics-attack/relationship/relationship--456ff399-4925-45d4-aa84-d930eae5348e.json
index f08c5e7fc8..4926fe06ce 100644
--- a/ics-attack/relationship/relationship--456ff399-4925-45d4-aa84-d930eae5348e.json
+++ b/ics-attack/relationship/relationship--456ff399-4925-45d4-aa84-d930eae5348e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b0e445e6-9f1d-4f54-bf74-b44c8714553c",
+ "id": "bundle--390eb107-aef3-4685-a5bb-0f66d822d34f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--456ff399-4925-45d4-aa84-d930eae5348e",
"created": "2023-09-28T20:26:47.786Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:26:47.786Z",
+ "modified": "2025-04-16T23:02:11.878Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json b/ics-attack/relationship/relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json
index 5da380e316..c1c6ec9b56 100644
--- a/ics-attack/relationship/relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json
+++ b/ics-attack/relationship/relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--64006259-6fd2-418b-a86d-28c7a6dc2b64",
+ "id": "bundle--5e2bd6ee-9e02-4de6-bd42-c5688af80c00",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f",
"created": "2023-10-02T20:22:02.539Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:22:02.539Z",
+ "modified": "2025-04-16T23:02:12.094Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json b/ics-attack/relationship/relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json
index 30cd6b7ba9..210c9f1090 100644
--- a/ics-attack/relationship/relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json
+++ b/ics-attack/relationship/relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9e4ce166-26bc-4e44-8fd3-6b077df91c33",
+ "id": "bundle--9d993f9b-bd0f-4083-b268-839574d91205",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9",
"created": "2023-09-28T20:15:32.382Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:15:32.382Z",
+ "modified": "2025-04-16T23:02:12.313Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json b/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json
index 3a0a041615..23ce88c8c3 100644
--- a/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json
+++ b/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--58091ee3-eb8c-44a8-a9e0-462ec7d3f281",
+ "id": "bundle--a2464642-0459-4e07-a0b3-967171fba32b",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--45ee1822-71e4-4d92-976d-306561b70555",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.106Z",
- "relationship_type": "mitigates",
- "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:12.529Z",
+ "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json b/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json
index 89e64243d6..ec5e2db237 100644
--- a/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json
+++ b/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--9b4c32c7-90b0-4528-be88-78514feef168",
+ "id": "bundle--d8849cab-af1a-4308-b930-36df5613f8e2",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.073Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:12.763Z",
"description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
"target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4631bf49-da0b-4415-a226-112c99ff0f64.json b/ics-attack/relationship/relationship--4631bf49-da0b-4415-a226-112c99ff0f64.json
index f9c23e0165..cf1ceb36ec 100644
--- a/ics-attack/relationship/relationship--4631bf49-da0b-4415-a226-112c99ff0f64.json
+++ b/ics-attack/relationship/relationship--4631bf49-da0b-4415-a226-112c99ff0f64.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a713e88b-ea1a-4967-b9cb-0b7b6a09bac2",
+ "id": "bundle--8e3559dc-2f11-4859-b211-d1058024d65f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T19:22:17.841Z",
+ "modified": "2025-04-16T23:02:12.973Z",
"description": "Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json b/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json
index 633bf0657f..ab636fd2d6 100644
--- a/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json
+++ b/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--d1787981-3f82-42de-a3d2-d225cae60624",
+ "id": "bundle--5f695176-ecef-4aa4-9701-5e14453dff13",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--46332a77-2fd6-4033-96cf-6163172775ec",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--46332a77-2fd6-4033-96cf-6163172775ec",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.164Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:13.208Z",
"description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4653847b-c089-4435-9159-6f76353833f7.json b/ics-attack/relationship/relationship--4653847b-c089-4435-9159-6f76353833f7.json
index 1ec65df0ba..963f25284d 100644
--- a/ics-attack/relationship/relationship--4653847b-c089-4435-9159-6f76353833f7.json
+++ b/ics-attack/relationship/relationship--4653847b-c089-4435-9159-6f76353833f7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0ded0d07-b9c4-42d0-97eb-a4b42d503505",
+ "id": "bundle--5aaa8634-d083-4e05-933e-6b6bd29e57fc",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4653847b-c089-4435-9159-6f76353833f7",
"created": "2023-09-25T20:43:22.274Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:43:22.274Z",
+ "modified": "2025-04-16T23:02:13.419Z",
"description": "All field controllers should restrict the modification of controller tasks to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
"target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf.json b/ics-attack/relationship/relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf.json
index c210086ac9..4c2378382f 100644
--- a/ics-attack/relationship/relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf.json
+++ b/ics-attack/relationship/relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3f99dc63-cbe6-4742-a392-2a10e47ed90c",
+ "id": "bundle--4d825e67-477c-43f2-a12d-5ffb22a40705",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf",
"created": "2023-09-29T16:42:20.944Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:42:20.944Z",
+ "modified": "2025-04-16T23:02:13.639Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--46798892-d849-43fe-8147-b40cc9da291e.json b/ics-attack/relationship/relationship--46798892-d849-43fe-8147-b40cc9da291e.json
index 49b74a2271..de843fc9d1 100644
--- a/ics-attack/relationship/relationship--46798892-d849-43fe-8147-b40cc9da291e.json
+++ b/ics-attack/relationship/relationship--46798892-d849-43fe-8147-b40cc9da291e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1483b453-a8c9-4ca1-ae10-8739a345b594",
+ "id": "bundle--c23e72bb-bcf2-4a3d-ae50-c921c45553c0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--46798892-d849-43fe-8147-b40cc9da291e",
"created": "2023-09-28T19:42:29.359Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:42:29.359Z",
+ "modified": "2025-04-16T23:02:13.854Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json b/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json
index cb1ddb55c9..2440035667 100644
--- a/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json
+++ b/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--90de22aa-baa2-447a-8b95-edffc42bb212",
+ "id": "bundle--9e4fcd7a-8219-40ce-9661-26d9216bc21c",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:56:30.836Z",
+ "modified": "2025-04-16T23:02:14.064Z",
"description": "While Norsk Hydro attempted to recover from a [LockerGoga](https://attack.mitre.org/software/S0372) infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity. (Citation: Kevin Beaumont)(Citation: Hydro)",
"relationship_type": "uses",
"source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48",
"target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9.json b/ics-attack/relationship/relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9.json
index fae7e508f6..716386cb87 100644
--- a/ics-attack/relationship/relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9.json
+++ b/ics-attack/relationship/relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e3d3ea8f-f59e-4209-9ff6-a14262dbff65",
+ "id": "bundle--d365a75d-4635-4b6b-b61c-1d1ddb51f9f3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9",
"created": "2024-03-25T20:17:59.424Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-25T20:17:59.424Z",
+ "modified": "2025-04-16T23:02:14.277Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4768c731-3be9-44b8-a217-dfbececa57d9.json b/ics-attack/relationship/relationship--4768c731-3be9-44b8-a217-dfbececa57d9.json
index aaaf005ebd..2246a1f42d 100644
--- a/ics-attack/relationship/relationship--4768c731-3be9-44b8-a217-dfbececa57d9.json
+++ b/ics-attack/relationship/relationship--4768c731-3be9-44b8-a217-dfbececa57d9.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c41cb84b-85a8-4bb0-bf30-25135adbeb0d",
+ "id": "bundle--769e21c0-d590-4747-a336-ac0175ad6c0e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4768c731-3be9-44b8-a217-dfbececa57d9",
"created": "2023-09-29T18:06:22.868Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:06:22.868Z",
+ "modified": "2025-04-16T23:02:14.477Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4.json b/ics-attack/relationship/relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4.json
index d86ec25530..1f375b3480 100644
--- a/ics-attack/relationship/relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4.json
+++ b/ics-attack/relationship/relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--77fc6643-cca6-473f-ae02-64d5221db9f9",
+ "id": "bundle--eb9a3c4c-d559-4019-872d-e171887a004c",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:30:58.676Z",
+ "modified": "2025-04-16T23:02:14.680Z",
"description": "Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json b/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json
index 79e7cfdf41..f1da594426 100644
--- a/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json
+++ b/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b7cac0cb-7891-4727-8374-f8b845aefeae",
+ "id": "bundle--594b845f-4212-4041-9b30-ed269a4c8bcd",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T13:18:32.118Z",
+ "modified": "2025-04-16T23:02:14.899Z",
"description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9",
"target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--483719ad-c973-4210-b059-14e87dbd45f8.json b/ics-attack/relationship/relationship--483719ad-c973-4210-b059-14e87dbd45f8.json
index 9817d1d72c..bd5b90e3fc 100644
--- a/ics-attack/relationship/relationship--483719ad-c973-4210-b059-14e87dbd45f8.json
+++ b/ics-attack/relationship/relationship--483719ad-c973-4210-b059-14e87dbd45f8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b9e8b542-3f8f-423d-94c1-76cb1f890b79",
+ "id": "bundle--5ec06b05-eeec-49b0-9a79-2ed5d47c10b1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--483719ad-c973-4210-b059-14e87dbd45f8",
"created": "2023-09-28T19:49:43.417Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:49:43.417Z",
+ "modified": "2025-04-16T23:02:15.147Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json b/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json
index 8a59e967e4..7983c2c897 100644
--- a/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json
+++ b/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--eebdcc80-d2e8-45da-a1cb-100e1066f70d",
+ "id": "bundle--1db02667-2886-4eb1-a9f9-6a1f2b0079b3",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--48489baf-56c2-423e-964a-0a61688e4a19",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--48489baf-56c2-423e-964a-0a61688e4a19",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.224Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:15.374Z",
"description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957.json b/ics-attack/relationship/relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957.json
index 7c4591db14..253ac0d752 100644
--- a/ics-attack/relationship/relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957.json
+++ b/ics-attack/relationship/relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f0308e8e-35a9-4823-8d1e-89307be8b76b",
+ "id": "bundle--7b739b9c-921d-4d15-b135-73378a90a164",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957",
"created": "2024-04-09T20:50:34.946Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:50:34.946Z",
+ "modified": "2025-04-16T23:02:15.592Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json b/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json
index 2b50b0e892..e8fca7a3d0 100644
--- a/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json
+++ b/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--ea445b16-ed69-417a-a5ff-608aeb658f25",
+ "id": "bundle--1a1c8915-b5f2-4988-88cd-4f1b53e60bdd",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.102Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:15.804Z",
"description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--49242ea8-4813-49f7-8bd4-9668216cceeb.json b/ics-attack/relationship/relationship--49242ea8-4813-49f7-8bd4-9668216cceeb.json
index 6ec834c742..b5a4092941 100644
--- a/ics-attack/relationship/relationship--49242ea8-4813-49f7-8bd4-9668216cceeb.json
+++ b/ics-attack/relationship/relationship--49242ea8-4813-49f7-8bd4-9668216cceeb.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1732bfea-ea66-4f3f-ab84-e2d8f0912909",
+ "id": "bundle--76c2a0ad-4525-404c-b385-1bcfb4e6cb68",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--49242ea8-4813-49f7-8bd4-9668216cceeb",
"created": "2023-09-29T16:45:53.300Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:45:53.300Z",
+ "modified": "2025-04-16T23:02:16.023Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json b/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json
index c4c2f84569..ea53e13b69 100644
--- a/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json
+++ b/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--afdf77b7-abb9-41e8-aefb-a71a09129597",
+ "id": "bundle--7f4bd2fc-29c4-451d-95d6-c18bc297af34",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--4966e63c-ca05-466d-91f9-41d799a54471",
+ "created": "2021-04-12T18:59:17.429Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--4966e63c-ca05-466d-91f9-41d799a54471",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2021-04-12T18:59:17.429Z",
- "modified": "2022-05-06T17:47:24.186Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:16.269Z",
"description": "Provide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4981a944-b3ad-4d78-9881-a17d458e3422.json b/ics-attack/relationship/relationship--4981a944-b3ad-4d78-9881-a17d458e3422.json
index 3c12e39c76..85247d4f1b 100644
--- a/ics-attack/relationship/relationship--4981a944-b3ad-4d78-9881-a17d458e3422.json
+++ b/ics-attack/relationship/relationship--4981a944-b3ad-4d78-9881-a17d458e3422.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5bffc8b5-3149-4383-a0ae-dee53b8732eb",
+ "id": "bundle--3e63662b-2097-4b01-abed-fa26ca0bb40d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4981a944-b3ad-4d78-9881-a17d458e3422",
"created": "2023-09-28T20:01:30.138Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:01:30.138Z",
+ "modified": "2025-04-16T23:02:16.504Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8.json b/ics-attack/relationship/relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8.json
index 5555c42dcb..1a17bdeb7c 100644
--- a/ics-attack/relationship/relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8.json
+++ b/ics-attack/relationship/relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1af32931-a9bf-4171-b6b3-89fc2d98441b",
+ "id": "bundle--63439e41-4e8d-42c1-ac63-a1f200f04771",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-07T19:50:55.445Z",
+ "modified": "2025-04-16T23:02:16.718Z",
"description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: `cscript C:\\Backinfo\\ufn.vbs C:\\Backinfo\\101.dll C:\\Delta\\101.dll`(Citation: Dragos Crashoverride 2018)",
"relationship_type": "uses",
"source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json b/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json
index 6e43369258..124e9e7011 100644
--- a/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json
+++ b/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cb945947-3dd5-477c-ba0b-e82026d42452",
+ "id": "bundle--f27afb94-21df-4d1d-9b7f-a48c2c6ed024",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:27:26.605Z",
+ "modified": "2025-04-16T23:02:16.924Z",
"description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2.json b/ics-attack/relationship/relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2.json
index bf4a3ab81b..f7b1b09286 100644
--- a/ics-attack/relationship/relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2.json
+++ b/ics-attack/relationship/relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--207fdea8-1662-4edd-a01c-9cfdd6358ffa",
+ "id": "bundle--51c2ebbb-ad1d-46b1-82ee-8e9e84e1a54e",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-29T14:04:13.656Z",
+ "modified": "2025-04-16T23:02:17.141Z",
"description": "Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd",
"target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json b/ics-attack/relationship/relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json
index ea9fd34254..46ced38dea 100644
--- a/ics-attack/relationship/relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json
+++ b/ics-attack/relationship/relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--cf5849e8-1a12-42ed-8867-99f18f6445d2",
+ "id": "bundle--7625e20e-fa59-4da7-b4f0-6c4780a8642f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05",
"created": "2023-09-28T19:41:47.648Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:41:47.648Z",
+ "modified": "2025-04-16T23:02:17.384Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4a7340fc-0eec-4459-a491-952d736b79ef.json b/ics-attack/relationship/relationship--4a7340fc-0eec-4459-a491-952d736b79ef.json
index ab1cc16682..fb9ae39ed6 100644
--- a/ics-attack/relationship/relationship--4a7340fc-0eec-4459-a491-952d736b79ef.json
+++ b/ics-attack/relationship/relationship--4a7340fc-0eec-4459-a491-952d736b79ef.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9a52b4d1-7443-4778-bf11-3d700b9630f3",
+ "id": "bundle--17134e9e-a1ef-4b4c-8078-672fda8706ae",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4a7340fc-0eec-4459-a491-952d736b79ef",
"created": "2023-09-28T19:50:42.505Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:50:42.505Z",
+ "modified": "2025-04-16T23:02:17.593Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198.json b/ics-attack/relationship/relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198.json
index fa61619abd..620166c416 100644
--- a/ics-attack/relationship/relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198.json
+++ b/ics-attack/relationship/relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f659b580-3dae-4bb5-bae7-d10805e3e666",
+ "id": "bundle--b3929a98-d553-4395-9fd6-c5b4a7834cf3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198",
"created": "2023-09-28T21:09:50.956Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:09:50.956Z",
+ "modified": "2025-04-16T23:02:17.814Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4b57e41c-246f-44b3-b259-1811d5275e10.json b/ics-attack/relationship/relationship--4b57e41c-246f-44b3-b259-1811d5275e10.json
index f7d70517a9..2c68804161 100644
--- a/ics-attack/relationship/relationship--4b57e41c-246f-44b3-b259-1811d5275e10.json
+++ b/ics-attack/relationship/relationship--4b57e41c-246f-44b3-b259-1811d5275e10.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--20465e80-4ac7-4e98-b6b7-976839515d51",
+ "id": "bundle--5a302f74-caa2-4f49-a99a-b164992a30b1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4b57e41c-246f-44b3-b259-1811d5275e10",
"created": "2022-09-26T15:16:32.057Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:16:32.057Z",
+ "modified": "2025-04-16T23:02:18.020Z",
"description": "Consult asset management systems to understand expected alarm settings.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706",
"target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596.json b/ics-attack/relationship/relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596.json
index 3fa0f46fad..24c947a9e5 100644
--- a/ics-attack/relationship/relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596.json
+++ b/ics-attack/relationship/relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e35d38ea-6749-4c33-97b8-e305712f853f",
+ "id": "bundle--0af2c4c7-21c4-4c51-b3e4-360487573f4a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596",
"created": "2023-09-28T21:24:51.818Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:24:51.818Z",
+ "modified": "2025-04-16T23:02:18.221Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4b853b7c-bc55-4599-b88d-d08d651526c0.json b/ics-attack/relationship/relationship--4b853b7c-bc55-4599-b88d-d08d651526c0.json
index 179a50b783..42c5e8a61b 100644
--- a/ics-attack/relationship/relationship--4b853b7c-bc55-4599-b88d-d08d651526c0.json
+++ b/ics-attack/relationship/relationship--4b853b7c-bc55-4599-b88d-d08d651526c0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0510377d-e9ee-459d-8a4d-805932957b7c",
+ "id": "bundle--1d2486a3-71c8-4055-a226-1d4bd7aaff73",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4b853b7c-bc55-4599-b88d-d08d651526c0",
"created": "2023-09-29T18:49:25.209Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:49:25.209Z",
+ "modified": "2025-04-16T23:02:18.442Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e.json b/ics-attack/relationship/relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e.json
index 1bd8affa1c..9365fe6b90 100644
--- a/ics-attack/relationship/relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e.json
+++ b/ics-attack/relationship/relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3dfe426d-10c2-4bf5-a581-cf69a0456b29",
+ "id": "bundle--eb79838f-d8a0-4f46-a911-3e75d42c0494",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-07T17:51:39.294Z",
+ "modified": "2025-04-16T23:02:18.645Z",
"description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used MS-SQL access to a pivot machine, allowing code execution throughout the ICS network.(Citation: Dragos Crashoverride 2018)",
"relationship_type": "uses",
"source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12.json b/ics-attack/relationship/relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12.json
index 911198349e..33365e8a9a 100644
--- a/ics-attack/relationship/relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12.json
+++ b/ics-attack/relationship/relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8e9a6556-90df-454a-92c0-f38352235de8",
+ "id": "bundle--d19dfb52-22b9-41ab-b1d2-bc90a67391da",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12",
"created": "2023-09-28T19:59:23.856Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:59:23.856Z",
+ "modified": "2025-04-16T23:02:18.868Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962.json b/ics-attack/relationship/relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962.json
index b68fd350a6..87e915749e 100644
--- a/ics-attack/relationship/relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962.json
+++ b/ics-attack/relationship/relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3da45ed1-0355-4eac-818c-e8cd0e34eeb2",
+ "id": "bundle--e0120cbc-4e37-406e-928b-18de1cfad4e8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962",
"created": "2023-09-28T21:23:14.975Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:23:14.975Z",
+ "modified": "2025-04-16T23:02:19.069Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419.json b/ics-attack/relationship/relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419.json
index d2ed04b4b0..0e67c5d26a 100644
--- a/ics-attack/relationship/relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419.json
+++ b/ics-attack/relationship/relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e69b0886-6373-4941-92e3-e297a05633ec",
+ "id": "bundle--ab83f508-6288-4fc9-b3a5-14cd3429e9a9",
"spec_version": "2.0",
"objects": [
{
@@ -29,15 +29,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:13:08.567Z",
+ "modified": "2025-04-16T23:02:19.281Z",
"description": "Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.(Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource.(Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.(Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5",
"target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json b/ics-attack/relationship/relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json
index fc6fff4809..ecae30b617 100644
--- a/ics-attack/relationship/relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json
+++ b/ics-attack/relationship/relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dc48e75c-f132-417f-8477-dfda27d5457c",
+ "id": "bundle--7ecb8d23-a61a-4958-aae3-3df1397f1ff9",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-27T13:37:24.610Z",
+ "modified": "2025-04-16T22:13:35.299Z",
"description": "(Citation: Andy Greenberg June 2017) (Citation: US District Court Indictment GRU Unit 74455 October 2020)",
"relationship_type": "attributed-to",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json b/ics-attack/relationship/relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json
index a3fc9410ef..da87353f1e 100644
--- a/ics-attack/relationship/relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json
+++ b/ics-attack/relationship/relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e43ca2a8-1429-450f-8662-6611c8b118e0",
+ "id": "bundle--dd15bdb9-9ed2-4cc7-9228-37460be2a574",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7",
"created": "2023-09-28T20:27:04.841Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:27:04.841Z",
+ "modified": "2025-04-16T23:02:19.583Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json b/ics-attack/relationship/relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json
index bc714f8659..2a11e262b6 100644
--- a/ics-attack/relationship/relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json
+++ b/ics-attack/relationship/relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a7a01f79-bb49-4fd7-be7d-63455e6a1803",
+ "id": "bundle--31d5b257-0121-4996-8a92-6c9a4b98dbb6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4",
"created": "2023-09-28T21:28:11.821Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:28:11.821Z",
+ "modified": "2025-04-16T23:02:19.805Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json b/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json
index 5dd91a863a..d6222e2d8f 100644
--- a/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json
+++ b/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--509f4901-3fad-463d-9c76-d4a6061621b5",
+ "id": "bundle--10f8e688-51c1-4203-8ea2-b548b5787543",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.435Z",
+ "modified": "2025-04-16T23:02:20.025Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the HTTP CGI scripts on Omron PLCs to modify parameters on EtherCat connected servo drives.(Citation: Wylie-22) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5.json b/ics-attack/relationship/relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5.json
index 9f4f0098f1..e6f74b407e 100644
--- a/ics-attack/relationship/relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5.json
+++ b/ics-attack/relationship/relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--722eebd8-4788-44a4-afd9-49924d0b447e",
+ "id": "bundle--409b75bb-3ea0-4dc2-82e0-25d98ea5b4fb",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5",
"created": "2023-09-29T18:02:38.399Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:02:38.399Z",
+ "modified": "2025-04-16T23:02:20.229Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93.json b/ics-attack/relationship/relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93.json
index 015b5c1fd9..3ee7224379 100644
--- a/ics-attack/relationship/relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93.json
+++ b/ics-attack/relationship/relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3cade1d4-d9bf-4968-b8e0-361de2043dbb",
+ "id": "bundle--eaeb1c11-5c8d-42cc-b155-c5205849f4e6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93",
"created": "2023-09-29T17:57:55.162Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:57:55.162Z",
+ "modified": "2025-04-16T23:02:20.428Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json b/ics-attack/relationship/relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json
index 46e792c307..bfaca16e80 100644
--- a/ics-attack/relationship/relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json
+++ b/ics-attack/relationship/relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--03534aee-dfff-4b8b-b072-b309c203f4fc",
+ "id": "bundle--66db8bcc-6e53-4147-bc20-05ec5daf5e3a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9",
"created": "2023-09-28T20:09:53.108Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:09:53.108Z",
+ "modified": "2025-04-16T23:02:20.630Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--4f83cc15-274d-44c6-859f-e598e362e76e.json b/ics-attack/relationship/relationship--4f83cc15-274d-44c6-859f-e598e362e76e.json
index 9165d74ac2..4779d6615a 100644
--- a/ics-attack/relationship/relationship--4f83cc15-274d-44c6-859f-e598e362e76e.json
+++ b/ics-attack/relationship/relationship--4f83cc15-274d-44c6-859f-e598e362e76e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--aaae3a00-89a6-4323-bb8d-8b4ed7214f40",
+ "id": "bundle--e4ab0338-424c-4a14-a415-25e35c62dc05",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.260Z",
+ "modified": "2025-04-16T23:02:20.861Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) opened live breakers via remote commands to the HMI, causing blackouts. (Citation: Ukraine15 - EISAC - 201603)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json b/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json
index 5f4e84d9f6..46ba7a3436 100644
--- a/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json
+++ b/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--2f17f7b0-7feb-4bef-aaa4-7ed6063fb6ec",
+ "id": "bundle--8ef7ab65-3551-4a0b-8ce1-6d8cbbe8c191",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--502a0b7e-048a-468a-b888-e91fde47c6eb",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-04-12T18:59:17.429Z",
- "modified": "2022-05-06T17:47:24.189Z",
- "relationship_type": "mitigates",
- "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "North America Transmission Forum December 2019",
@@ -23,9 +15,16 @@
"url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:21.081Z",
+ "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29.json b/ics-attack/relationship/relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29.json
index 6a9d0a5ca4..9dd387f248 100644
--- a/ics-attack/relationship/relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29.json
+++ b/ics-attack/relationship/relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a3a6dcd3-fc0d-4529-8ba3-bbc3a6149a6c",
+ "id": "bundle--635d5d55-3d4b-45f4-8a44-78f6cb321413",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29",
"created": "2023-09-29T18:03:06.209Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:03:06.209Z",
+ "modified": "2025-04-16T23:02:21.314Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json b/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json
index 8cb44d0c4c..51cf9f0a4c 100644
--- a/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json
+++ b/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--6d916c69-ca0c-4d14-8b32-61904d1b1e5f",
+ "id": "bundle--0b7ae5c4-ca01-4260-b4c8-6bdb494d02fb",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--5041e17d-6349-4589-8c61-7b43964b5f9b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-10-14T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.227Z",
- "relationship_type": "mitigates",
- "description": "Integrity checking of transient assets can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. (Citation: Emerson Exchange) It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. (Citation: National Security Agency February 2016)\n",
- "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
- "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Emerson Exchange",
@@ -28,9 +20,16 @@
"url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:21.521Z",
+ "description": "Integrity checking of transient assets can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. (Citation: Emerson Exchange) It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. (Citation: National Security Agency February 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
+ "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json b/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json
index 84440aaa44..f2ebf30507 100644
--- a/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json
+++ b/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--ba18093d-b458-490b-8bcb-7142a699abf4",
+ "id": "bundle--b50489f4-a2e0-4caf-817c-7c40a7be3368",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--50a2b289-7bce-405d-8515-c2b5424cce5c",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.090Z",
- "relationship_type": "mitigates",
- "description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n",
- "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc",
- "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Keith Stouffer May 2015",
@@ -28,9 +20,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:21.732Z",
+ "description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc",
+ "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json b/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json
index 28d43271ea..e548d1c9bd 100644
--- a/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json
+++ b/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e6a0990a-9d09-4adb-b089-048a2505cc1c",
+ "id": "bundle--64d2ffc5-ca6c-4898-9cb1-d74782d5a118",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:12:35.411Z",
+ "modified": "2025-04-16T23:02:21.937Z",
"description": "In states 3 and 4 [Stuxnet](https://attack.mitre.org/software/S0603) sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json b/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json
index 58051f57c0..3eee944323 100644
--- a/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json
+++ b/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dce63779-356e-4015-ae9e-051005126793",
+ "id": "bundle--2563a770-003a-4ea2-9b26-db5cc98a689e",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:16:50.062Z",
+ "modified": "2025-04-16T23:02:22.152Z",
"description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. (Citation: Anton Cherepanov, ESET June 2017) Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5131c799-517c-4bad-ba97-46ad7de956e7.json b/ics-attack/relationship/relationship--5131c799-517c-4bad-ba97-46ad7de956e7.json
index 720ca4b19f..cf80dd635a 100644
--- a/ics-attack/relationship/relationship--5131c799-517c-4bad-ba97-46ad7de956e7.json
+++ b/ics-attack/relationship/relationship--5131c799-517c-4bad-ba97-46ad7de956e7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d01891f9-aa0d-49d6-b923-61479f2934c1",
+ "id": "bundle--1ff5314a-00de-45e1-950d-54f3a527f8de",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5131c799-517c-4bad-ba97-46ad7de956e7",
"created": "2023-09-28T21:17:06.233Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:17:06.233Z",
+ "modified": "2025-04-16T23:02:22.378Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json b/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json
index f3c05e0a4b..1d9fb3ae4c 100644
--- a/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json
+++ b/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9c8207ce-d345-4015-970f-1c321ea93957",
+ "id": "bundle--9371fde5-6bc4-4063-9150-fab9cb234228",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.436Z",
+ "modified": "2025-04-16T23:02:22.591Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can establish a remote HTTP connection to change the operating mode of Omron PLCs.(Citation: Dragos-Pipedream)(Citation: Wylie-22) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json b/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json
index becd7e1620..01991ea167 100644
--- a/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json
+++ b/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--a5df7116-4f5d-4365-8999-c61020bab496",
+ "id": "bundle--736e9f2d-af7f-4b0d-ab4a-fad57c07dd46",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.072Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:22.827Z",
"description": "Restrict unauthorized devices from accessing serial comm ports.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
"target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json b/ics-attack/relationship/relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json
index 7963f49fde..7fe7fd1e96 100644
--- a/ics-attack/relationship/relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json
+++ b/ics-attack/relationship/relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--76c10d59-f8ee-49ba-bebc-3f373fea2aba",
+ "id": "bundle--835050ff-fe40-475d-9dae-ce466fb87fd0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59",
"created": "2022-09-26T17:08:21.214Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T17:08:21.214Z",
+ "modified": "2025-04-16T23:02:23.025Z",
"description": "Monitor device communication patterns to identify irregular bulk transfers of data between the embedded ICS asset and other nodes within the network. Note these indicators are dependent on the profile of normal operations and the capabilities of the industrial automation protocols involved (e.g., partial program uploads).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json b/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json
index 800b707548..075fc34aba 100644
--- a/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json
+++ b/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2e82cbd6-c85f-43c7-835a-782723271e84",
+ "id": "bundle--960e28fe-b6a4-4c32-bfdc-1e06cb80a019",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:39:25.984Z",
+ "modified": "2025-04-16T23:02:23.270Z",
"description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. (Citation: Catalin Cimpanu April 2016)",
"relationship_type": "uses",
"source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55",
"target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c.json b/ics-attack/relationship/relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c.json
index a5f75a96f7..21c5528ce2 100644
--- a/ics-attack/relationship/relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c.json
+++ b/ics-attack/relationship/relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0ddbe6f6-221d-4a8f-9adb-b5c809f06a58",
+ "id": "bundle--890ab2e6-bf2b-42d1-847f-2c260efd5ef0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c",
"created": "2023-09-29T16:40:18.760Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:40:18.760Z",
+ "modified": "2025-04-16T23:02:23.504Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json b/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json
index 2c9589a359..6b794d07cb 100644
--- a/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json
+++ b/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--51339de0-f3ce-4520-8ee4-ce74b36a8963",
+ "id": "bundle--7058fe1b-ecf6-48f7-adb0-902b9c655189",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--520aad6a-2483-45bc-a172-2417137f6ca0",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--520aad6a-2483-45bc-a172-2417137f6ca0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.143Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:23.726Z",
"description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
"target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json b/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json
index 9afe1c8d57..4fc1519cba 100644
--- a/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json
+++ b/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--03ca0656-8c8d-4ba6-b09f-d1197016c3ed",
+ "id": "bundle--17ea2864-c898-4458-96db-4e4c54fa05ca",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5",
+ "created": "2021-04-10T14:13:17.429Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2021-04-10T14:13:17.429Z",
- "modified": "2022-05-06T17:47:24.188Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:23.945Z",
"description": "Enforce strong password requirements to prevent password brute force methods for lateral movement.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--523777f8-4780-4716-807c-08a67450b916.json b/ics-attack/relationship/relationship--523777f8-4780-4716-807c-08a67450b916.json
index 35e21cb88c..395a98819b 100644
--- a/ics-attack/relationship/relationship--523777f8-4780-4716-807c-08a67450b916.json
+++ b/ics-attack/relationship/relationship--523777f8-4780-4716-807c-08a67450b916.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--bf90df7a-1236-494b-8e61-46f252c96520",
+ "id": "bundle--02854a73-82c9-4085-bf57-d422d64ebb26",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--523777f8-4780-4716-807c-08a67450b916",
"created": "2023-09-29T18:45:13.052Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:45:13.052Z",
+ "modified": "2025-04-16T23:02:24.163Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--524ffb0f-40ae-4c97-a098-d14001fffa31.json b/ics-attack/relationship/relationship--524ffb0f-40ae-4c97-a098-d14001fffa31.json
index 7aee15066d..01c7118726 100644
--- a/ics-attack/relationship/relationship--524ffb0f-40ae-4c97-a098-d14001fffa31.json
+++ b/ics-attack/relationship/relationship--524ffb0f-40ae-4c97-a098-d14001fffa31.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--053da2eb-4e46-485c-917b-24b060781392",
+ "id": "bundle--832cc7cd-7d2b-482b-9e63-09074587a453",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--524ffb0f-40ae-4c97-a098-d14001fffa31",
"created": "2023-09-29T16:44:54.473Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:44:54.473Z",
+ "modified": "2025-04-16T23:02:24.372Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0.json b/ics-attack/relationship/relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0.json
index 7a74c4ee37..c9ad6143ed 100644
--- a/ics-attack/relationship/relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0.json
+++ b/ics-attack/relationship/relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d3d01274-c47a-45de-9dd3-425504c2a33c",
+ "id": "bundle--992cfd41-5d0c-432b-8d83-015b4b0ce70e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0",
"created": "2024-04-09T20:58:49.397Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:58:49.397Z",
+ "modified": "2025-04-16T23:02:24.595Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json b/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json
index 7d2487cd5c..0cdd5ad58f 100644
--- a/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json
+++ b/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--660f6194-fb70-4007-b11d-c90580e8c28d",
+ "id": "bundle--32d51fa3-41ce-44dc-b2be-ef4ed04591b2",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--52855d5d-e835-470f-a675-751c2779c861",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--52855d5d-e835-470f-a675-751c2779c861",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.140Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:24.820Z",
"description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json b/ics-attack/relationship/relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json
index 00c4b9970f..aed5657a35 100644
--- a/ics-attack/relationship/relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json
+++ b/ics-attack/relationship/relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--cf4f7886-a592-4ee4-9472-08954251f6f5",
+ "id": "bundle--da602b17-f903-496c-aab0-10a04aeaaf62",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b",
"created": "2023-09-28T21:23:26.598Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:23:26.598Z",
+ "modified": "2025-04-16T23:02:25.027Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json b/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json
index 1d4bc0e0f5..e26f2e7f79 100644
--- a/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json
+++ b/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--c8442fd9-5483-4c0a-bfef-9159ddd4f450",
+ "id": "bundle--3f781a25-0bb2-4d99-915d-5d002975df01",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.133Z",
- "relationship_type": "mitigates",
- "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n",
- "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
- "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "National Institute of Standards and Technology April 2013",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:25.225Z",
+ "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
+ "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--52e828db-58d0-443e-8d94-54d265d9606e.json b/ics-attack/relationship/relationship--52e828db-58d0-443e-8d94-54d265d9606e.json
index 514e5d8057..2b3b95999a 100644
--- a/ics-attack/relationship/relationship--52e828db-58d0-443e-8d94-54d265d9606e.json
+++ b/ics-attack/relationship/relationship--52e828db-58d0-443e-8d94-54d265d9606e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--94129c2e-9da8-4716-8e8e-4cce5db9db87",
+ "id": "bundle--81a4101b-10dc-486f-8de2-c962d12f3f3e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--52e828db-58d0-443e-8d94-54d265d9606e",
"created": "2023-09-29T17:42:01.044Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:42:01.044Z",
+ "modified": "2025-04-16T23:02:25.441Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json b/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json
index c9a4c75453..de184d844f 100644
--- a/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json
+++ b/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--108c3f35-b8d5-4042-b6b1-c340e8874465",
+ "id": "bundle--be35c180-0d02-4069-bb93-3394799fd8e6",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.208Z",
- "relationship_type": "mitigates",
- "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Karen Scarfone; Paul Hoffman September 2009",
@@ -38,9 +30,16 @@
"url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:25.655Z",
+ "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--533bd747-2567-4c53-a10b-938734f8aeab.json b/ics-attack/relationship/relationship--533bd747-2567-4c53-a10b-938734f8aeab.json
index 0c2583bbcb..7ad1879b23 100644
--- a/ics-attack/relationship/relationship--533bd747-2567-4c53-a10b-938734f8aeab.json
+++ b/ics-attack/relationship/relationship--533bd747-2567-4c53-a10b-938734f8aeab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4deea035-a719-4a5c-82ed-1328fc2c654d",
+ "id": "bundle--ba3c5834-b8ac-484e-abbd-595ba78094d1",
"spec_version": "2.0",
"objects": [
{
@@ -22,22 +22,21 @@
},
{
"source_name": "FireEye TRITON 2018",
- "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.",
- "url": "https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html"
+ "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-10T15:07:55.592Z",
+ "modified": "2025-04-16T23:02:25.872Z",
"description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) leveraged [Triton](https://attack.mitre.org/software/S1009) to interact and disrupt Triconex safety instrumented systems throughout this campaign.(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TRITON 2018)(Citation: FireEye TRITON Dec 2017)",
"relationship_type": "uses",
"source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
"target_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json b/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json
index 7d9eb74f15..b922cc360e 100644
--- a/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json
+++ b/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9788b67e-dc0e-4720-b8db-f355281034bc",
+ "id": "bundle--89a4e636-3081-4e23-8f57-9608e6faa538",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:01:00.053Z",
+ "modified": "2025-04-16T23:02:26.098Z",
"description": "The execution on the PLC can be stopped by violating the cycle time limit. The [PLC-Blaster](https://attack.mitre.org/software/S1006) implements an endless loop triggering an error condition within the PLC with the impact of a DoS. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)",
"relationship_type": "uses",
"source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe",
"target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--538e5653-137a-4ce2-8b08-5ba69caa794a.json b/ics-attack/relationship/relationship--538e5653-137a-4ce2-8b08-5ba69caa794a.json
index 828d8c4538..a0e48d53b5 100644
--- a/ics-attack/relationship/relationship--538e5653-137a-4ce2-8b08-5ba69caa794a.json
+++ b/ics-attack/relationship/relationship--538e5653-137a-4ce2-8b08-5ba69caa794a.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--0807556d-c747-4b68-ac79-4bd25fa8d586",
+ "id": "bundle--659336b6-61c9-415d-a426-f69f6f2ae91d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--538e5653-137a-4ce2-8b08-5ba69caa794a",
"created": "2024-03-25T17:58:07.886Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -23,16 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-25T17:58:07.886Z",
+ "modified": "2025-04-16T22:15:21.909Z",
"description": "(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TRITON Dec 2017)",
"relationship_type": "attributed-to",
"source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
"target_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json b/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json
index edb466e41d..f389faac91 100644
--- a/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json
+++ b/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c8f87eb5-8774-4a61-86d3-76cbf9049b14",
+ "id": "bundle--60a08858-2f1d-483e-81bf-698bbf070426",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:12:58.883Z",
+ "modified": "2025-04-16T23:02:26.417Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a.json b/ics-attack/relationship/relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a.json
index 3e147573e9..087b6df606 100644
--- a/ics-attack/relationship/relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a.json
+++ b/ics-attack/relationship/relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--b6ae8f6b-eeb9-4e23-8083-a40066569d45",
+ "id": "bundle--926bb133-f571-499f-8afa-d29274dab13f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a",
"created": "2023-03-30T14:08:23.251Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T14:08:23.251Z",
+ "modified": "2025-04-16T23:02:26.627Z",
"description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.(Citation: CISA June 2013)",
"relationship_type": "mitigates",
"source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65",
"target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--53d7a78d-1431-49e8-944c-62c875e58a20.json b/ics-attack/relationship/relationship--53d7a78d-1431-49e8-944c-62c875e58a20.json
index 0e76d69258..a20a0bcc48 100644
--- a/ics-attack/relationship/relationship--53d7a78d-1431-49e8-944c-62c875e58a20.json
+++ b/ics-attack/relationship/relationship--53d7a78d-1431-49e8-944c-62c875e58a20.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d10d2334-de92-4bc5-8cf7-00a5d1e5cbe0",
+ "id": "bundle--6cbcd80d-659c-42a3-858b-99a79dd83bad",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--53d7a78d-1431-49e8-944c-62c875e58a20",
"created": "2023-09-29T17:08:37.793Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:08:37.793Z",
+ "modified": "2025-04-16T23:02:26.835Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json b/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json
index f9da28d0ed..a9a1f3bc02 100644
--- a/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json
+++ b/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8f7f2e4d-cebf-43f1-855d-4d4c7f15ab48",
+ "id": "bundle--d9f9aefb-1005-4d43-9555-51ccbf736757",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T15:40:18.975Z",
+ "modified": "2025-04-16T23:02:27.030Z",
"description": "[ALLANITE](https://attack.mitre.org/groups/G1000) has been identified to collect and distribute screenshots of ICS systems such as HMIs. (Citation: Dragos) (Citation: ICS-CERT October 2017)",
"relationship_type": "uses",
"source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae",
"target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd.json b/ics-attack/relationship/relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd.json
index 5f31169852..76822996e2 100644
--- a/ics-attack/relationship/relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd.json
+++ b/ics-attack/relationship/relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8ee3c069-7e92-470e-921c-11f128c10efe",
+ "id": "bundle--3059e36e-41b5-48af-a82e-3d1ae286f53e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd",
"created": "2023-09-29T17:44:32.341Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:44:32.341Z",
+ "modified": "2025-04-16T23:02:27.265Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--544e996c-0bdc-42b2-91af-14c27d4213b9.json b/ics-attack/relationship/relationship--544e996c-0bdc-42b2-91af-14c27d4213b9.json
index 64c3ee3675..79f2ced887 100644
--- a/ics-attack/relationship/relationship--544e996c-0bdc-42b2-91af-14c27d4213b9.json
+++ b/ics-attack/relationship/relationship--544e996c-0bdc-42b2-91af-14c27d4213b9.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2b5d7935-47c0-4761-9405-110954e1f829",
+ "id": "bundle--e3da91d1-8faa-4818-a8f1-c6efed46d367",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--544e996c-0bdc-42b2-91af-14c27d4213b9",
"created": "2023-09-28T21:09:23.185Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:09:23.185Z",
+ "modified": "2025-04-16T23:02:27.495Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json b/ics-attack/relationship/relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json
index cb0f740615..a269f7c674 100644
--- a/ics-attack/relationship/relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json
+++ b/ics-attack/relationship/relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--db9821ca-1e3c-49f1-a0d1-8200b9e71917",
+ "id": "bundle--34ad0b20-a7d9-4ab6-bcac-9e73583810ab",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56",
"created": "2023-09-28T20:10:44.014Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:10:44.014Z",
+ "modified": "2025-04-16T23:02:27.715Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json b/ics-attack/relationship/relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json
index b725630af8..9364c1ccda 100644
--- a/ics-attack/relationship/relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json
+++ b/ics-attack/relationship/relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5759e297-3be1-4db6-ada1-5eb24469ce51",
+ "id": "bundle--1e6d1233-438f-4baf-916c-c2dff4d3d28b",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-31T16:17:58.795Z",
+ "modified": "2025-04-16T23:02:27.911Z",
"description": "[Industroyer2](https://attack.mitre.org/software/S1072) has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.(Citation: Industroyer2 Mandiant April 2022)",
"relationship_type": "uses",
"source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f.json b/ics-attack/relationship/relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f.json
index 7183ff58e0..1695a0de7e 100644
--- a/ics-attack/relationship/relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f.json
+++ b/ics-attack/relationship/relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--447c11bf-e415-4a63-b873-fbb711ab9b5f",
+ "id": "bundle--3f8b677f-2ae5-4b68-83eb-be5dc50753e1",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T17:07:49.346Z",
+ "modified": "2025-04-16T23:02:28.114Z",
"description": "Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json b/ics-attack/relationship/relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json
index 7b0a7c9a2c..dc3a391efa 100644
--- a/ics-attack/relationship/relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json
+++ b/ics-attack/relationship/relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5b9ddd5d-3c96-41a9-a900-c1d38d3f1af5",
+ "id": "bundle--dc1c78a6-9889-4f6d-8f79-97b9ee118c4f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T19:18:27.480Z",
+ "modified": "2025-04-16T23:02:28.342Z",
"description": "Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--55d1eaf7-c3cb-4ff9-8439-96f562d46259.json b/ics-attack/relationship/relationship--55d1eaf7-c3cb-4ff9-8439-96f562d46259.json
index 55c61c80d4..a9fecb3036 100644
--- a/ics-attack/relationship/relationship--55d1eaf7-c3cb-4ff9-8439-96f562d46259.json
+++ b/ics-attack/relationship/relationship--55d1eaf7-c3cb-4ff9-8439-96f562d46259.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6e8a0d46-319b-4087-8f9f-2027bfc1cb4f",
+ "id": "bundle--6d63efd2-7da6-44d4-b781-959220593529",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-29T14:07:21.029Z",
+ "modified": "2025-04-16T23:02:28.550Z",
"description": "Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd",
"target_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--55f3dd59-08be-4e23-a680-b6db7850b399.json b/ics-attack/relationship/relationship--55f3dd59-08be-4e23-a680-b6db7850b399.json
index 21f63645ec..75481516a3 100644
--- a/ics-attack/relationship/relationship--55f3dd59-08be-4e23-a680-b6db7850b399.json
+++ b/ics-attack/relationship/relationship--55f3dd59-08be-4e23-a680-b6db7850b399.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1bb93990-c202-45e8-b364-471f24838547",
+ "id": "bundle--d072542c-cf0f-4d9f-b537-8e5f74abc221",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:59:50.879Z",
+ "modified": "2025-04-16T23:02:28.770Z",
"description": "Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json b/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json
index a1e4ca4f9e..ea9f10bea2 100644
--- a/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json
+++ b/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--98cd35db-2502-466e-b729-bb7277708f96",
+ "id": "bundle--f68b3e0b-5b39-45a7-9fa3-d9315c87ea7e",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.075Z",
- "relationship_type": "mitigates",
- "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Karen Scarfone; Paul Hoffman September 2009",
@@ -38,9 +30,16 @@
"url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:28.970Z",
+ "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5677e801-bd49-404b-b54a-6b00da52530c.json b/ics-attack/relationship/relationship--5677e801-bd49-404b-b54a-6b00da52530c.json
index 7a1ffc9a25..dd0b14ea02 100644
--- a/ics-attack/relationship/relationship--5677e801-bd49-404b-b54a-6b00da52530c.json
+++ b/ics-attack/relationship/relationship--5677e801-bd49-404b-b54a-6b00da52530c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--21548742-a326-4dd9-932d-36d8d5d02f7b",
+ "id": "bundle--2229d454-64eb-4429-bbf8-e886c874af32",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5677e801-bd49-404b-b54a-6b00da52530c",
"created": "2023-09-29T16:39:01.824Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:39:01.824Z",
+ "modified": "2025-04-16T23:02:29.175Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--567acebd-4ba2-4723-a74d-514992321ccc.json b/ics-attack/relationship/relationship--567acebd-4ba2-4723-a74d-514992321ccc.json
index bb2ee73182..9fd82ca882 100644
--- a/ics-attack/relationship/relationship--567acebd-4ba2-4723-a74d-514992321ccc.json
+++ b/ics-attack/relationship/relationship--567acebd-4ba2-4723-a74d-514992321ccc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ea5d44b2-8fd8-49a0-8d48-401b2986e645",
+ "id": "bundle--874219bb-d5fc-4551-b567-ee70ce0823d5",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:03:27.702Z",
+ "modified": "2025-04-16T23:02:29.386Z",
"description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
"target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18.json b/ics-attack/relationship/relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18.json
index eff373363d..7a95f92c5c 100644
--- a/ics-attack/relationship/relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18.json
+++ b/ics-attack/relationship/relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b08469c0-ee35-4633-87ad-884d34cc5e9e",
+ "id": "bundle--eaf9dfb0-ad23-4a67-b4c3-418e5b2b9e9b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18",
"created": "2023-09-29T18:05:18.147Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:05:18.147Z",
+ "modified": "2025-04-16T23:02:29.624Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json b/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json
index ce60f69bdc..956181d261 100644
--- a/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json
+++ b/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6c676077-2aed-4ee0-8185-5a5b405f6b3e",
+ "id": "bundle--de568950-008a-4317-8f7d-03265691d965",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:24:51.471Z",
+ "modified": "2025-04-16T23:02:29.859Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. (Citation: Jos Wetzels January 2018)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json b/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json
index be8d50274c..9d7f18f510 100644
--- a/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json
+++ b/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--aecff277-5846-499c-bff1-d7a96e47ad8d",
+ "id": "bundle--93422c86-bfad-4480-8fe2-d7e86da97caa",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0",
"created": "2022-09-29T14:28:08.703Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-29T14:28:08.703Z",
+ "modified": "2025-04-16T23:02:30.068Z",
"description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f.json b/ics-attack/relationship/relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f.json
index b4bc80b127..72f7ef7d20 100644
--- a/ics-attack/relationship/relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f.json
+++ b/ics-attack/relationship/relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3f0b4399-a2d8-453e-8e07-1f50e7e4806c",
+ "id": "bundle--7f28ea4d-e02f-4f35-8656-d71ca51d19d5",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.261Z",
+ "modified": "2025-04-16T23:02:30.269Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json b/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json
index 9ba74d337c..d91aa11e87 100644
--- a/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json
+++ b/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--12a26c24-1044-4487-aedd-f82784f59bab",
+ "id": "bundle--411f3c64-dc5e-4089-bc1b-17217fb7f86b",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.199Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:30.475Z",
"description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json b/ics-attack/relationship/relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json
index 7c4d87d89c..748ca789aa 100644
--- a/ics-attack/relationship/relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json
+++ b/ics-attack/relationship/relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c67228f0-7a1e-4539-874b-7b6b096cc847",
+ "id": "bundle--2502f32c-c108-4e12-b50e-4f08635c7b7f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T16:33:10.450Z",
+ "modified": "2025-04-16T23:02:30.704Z",
"description": "Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
"target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--577b53a0-44ff-4cc4-b571-455d61e596c0.json b/ics-attack/relationship/relationship--577b53a0-44ff-4cc4-b571-455d61e596c0.json
index 4e59b90ac1..39b661c8af 100644
--- a/ics-attack/relationship/relationship--577b53a0-44ff-4cc4-b571-455d61e596c0.json
+++ b/ics-attack/relationship/relationship--577b53a0-44ff-4cc4-b571-455d61e596c0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2568b65c-b576-46b8-9d4f-223bb78925ce",
+ "id": "bundle--d0ac3b7d-6d65-44fb-89a3-3b90105e7c8c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--577b53a0-44ff-4cc4-b571-455d61e596c0",
"created": "2023-09-28T20:27:17.431Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:27:17.431Z",
+ "modified": "2025-04-16T23:02:30.910Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json b/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json
index 4cca948465..aa987c43ca 100644
--- a/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json
+++ b/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0010c5d0-a126-4c50-a5af-6119e402cfe2",
+ "id": "bundle--2591a72d-22da-4ebe-9474-2a520fb63077",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-19T21:22:50.001Z",
+ "modified": "2025-04-16T23:02:31.117Z",
"description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a",
"target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json b/ics-attack/relationship/relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json
index 35e3bf77ad..fe4633fad1 100644
--- a/ics-attack/relationship/relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json
+++ b/ics-attack/relationship/relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ea12ba53-3e7d-4525-a5e8-8d50bcbbc907",
+ "id": "bundle--3388e11c-e0ad-4a2a-b0a8-f1513b12e28a",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-07T17:07:29.299Z",
+ "modified": "2025-04-16T22:16:38.121Z",
"description": "Within the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Industroyer](https://attack.mitre.org/software/S0604) was used to target and disrupt the Ukrainian power grid substation components.(Citation: Dragos Crashoverride 2018)(Citation: ESET Industroyer)",
"relationship_type": "uses",
"source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234",
"target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json b/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json
index 82d3a259e0..2cdc191fa9 100644
--- a/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json
+++ b/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--e9b89453-72ca-4e2f-819e-ce31735595dc",
+ "id": "bundle--bb9b69dc-182c-4ce7-975b-189f1e8be208",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--5804ae3d-0daf-47a5-b026-d42878f55803",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--5804ae3d-0daf-47a5-b026-d42878f55803",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.166Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:31.423Z",
"description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433",
"target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json b/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json
index 2d372e10ea..95d649fd40 100644
--- a/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json
+++ b/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--919362c1-8abc-4051-bb30-0fa6e23bb970",
+ "id": "bundle--eadac70f-e59e-43a5-87a0-d3ed7b8c7504",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.086Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:31.623Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json b/ics-attack/relationship/relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json
index 53b9ebe247..508e9614be 100644
--- a/ics-attack/relationship/relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json
+++ b/ics-attack/relationship/relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4c101a35-a24b-4abc-be79-6313027c4b8f",
+ "id": "bundle--027812c5-312e-4ef1-b47e-d2618fc14afb",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2",
"created": "2022-09-26T15:37:30.958Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:37:30.958Z",
+ "modified": "2025-04-16T23:02:31.837Z",
"description": "Monitor for loss of network traffic which could indicate alarms are being suppressed. A loss of expected communications associated with network protocols used to communicate alarm events or process data could indicate this technique is being used. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json b/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json
index f48f659a2d..a788e9b491 100644
--- a/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json
+++ b/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--1f24c30b-3602-43e7-948b-114bb089ad75",
+ "id": "bundle--8c4847e7-c4f1-4ee6-98f5-e4d80f5be0fe",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.168Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:32.049Z",
"description": "Use multi-factor authentication wherever possible.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd",
"target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba.json b/ics-attack/relationship/relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba.json
index f7c539dc3f..62d1393afd 100644
--- a/ics-attack/relationship/relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba.json
+++ b/ics-attack/relationship/relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0fe8e7ba-6366-4079-a45e-66e167821cc4",
+ "id": "bundle--308eb671-6322-462d-8fae-1f27f317a1d4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba",
"created": "2023-09-28T19:38:03.976Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:38:03.976Z",
+ "modified": "2025-04-16T23:02:32.268Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json b/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json
index f1bca19554..68595e4b60 100644
--- a/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json
+++ b/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--a7738d17-b539-441e-8f1d-3ddd19bd96b9",
+ "id": "bundle--255f1330-3938-4d18-a278-1516476eef8a",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.145Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:32.483Z",
"description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
"target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json b/ics-attack/relationship/relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json
index 1cd8e98b67..a34397ec5b 100644
--- a/ics-attack/relationship/relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json
+++ b/ics-attack/relationship/relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9de39b8b-7efe-4926-b419-db0d001a9a47",
+ "id": "bundle--d531cdac-c098-468b-9d86-78b22562f338",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1",
"created": "2023-09-28T20:27:33.713Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:27:33.713Z",
+ "modified": "2025-04-16T23:02:32.703Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json b/ics-attack/relationship/relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json
index 144036afd3..a69b6a5e99 100644
--- a/ics-attack/relationship/relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json
+++ b/ics-attack/relationship/relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--99d5726d-bf86-4b06-b02b-753eede8d731",
+ "id": "bundle--35f25994-e7f1-4457-9adc-e91310d30193",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:17:25.451Z",
+ "modified": "2025-04-16T23:02:32.921Z",
"description": "Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to login and may perform follow-on actions that spawn additional processes as the user.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json b/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json
index 7453a34eeb..cca0d62cc0 100644
--- a/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json
+++ b/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--3783ddc2-411e-4e4a-8b77-727786afb77e",
+ "id": "bundle--082415e7-fbb8-478d-b9fa-29ad219329aa",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.201Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:33.152Z",
"description": "Consider removal or disabling of programs and features which may be used to run malicious scripts (e.g., scripting language IDEs, PowerShell, visual studio).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json b/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json
index ce9db61d82..6c152faf3a 100644
--- a/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json
+++ b/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--8a776356-12ad-4c5e-9d2e-848078cbb3b6",
+ "id": "bundle--e175ca8c-832a-4306-a29b-7ecdd5a3bb27",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--5914a482-dbb7-429d-96f3-77f0588ac12d",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--5914a482-dbb7-429d-96f3-77f0588ac12d",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.123Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:33.384Z",
"description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499",
"target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json b/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json
index 306aa55861..cd9146c495 100644
--- a/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json
+++ b/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--75dccfbe-da6a-4e86-a655-31ad838841fb",
+ "id": "bundle--84720be9-34b3-4df9-ad87-aaec36b070f8",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:25:07.936Z",
+ "modified": "2025-04-16T23:02:33.598Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges. (Citation: DHS CISA February 2019)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b.json b/ics-attack/relationship/relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b.json
index 988838fc94..698fe84157 100644
--- a/ics-attack/relationship/relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b.json
+++ b/ics-attack/relationship/relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ce8bab25-c9a4-43a1-ad13-26c16c600d62",
+ "id": "bundle--c2670058-1fee-4080-91e2-da47751b9149",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b",
"created": "2023-09-28T21:28:21.910Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:28:21.910Z",
+ "modified": "2025-04-16T23:02:33.839Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8.json b/ics-attack/relationship/relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8.json
index ddc52b9793..9e8b9d7596 100644
--- a/ics-attack/relationship/relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8.json
+++ b/ics-attack/relationship/relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3a8dac5a-7179-4e81-af61-ccbf57ec6b04",
+ "id": "bundle--15ecc51f-0c59-4891-b8d0-f4c1e164d036",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8",
"created": "2023-09-29T17:09:25.690Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:09:25.690Z",
+ "modified": "2025-04-16T23:02:34.042Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--59c65014-1fee-4c2e-9ece-9883159bbed2.json b/ics-attack/relationship/relationship--59c65014-1fee-4c2e-9ece-9883159bbed2.json
index 637d9af828..e903798784 100644
--- a/ics-attack/relationship/relationship--59c65014-1fee-4c2e-9ece-9883159bbed2.json
+++ b/ics-attack/relationship/relationship--59c65014-1fee-4c2e-9ece-9883159bbed2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--df0f3e6b-5b54-45ab-b679-a7a4b1fe3425",
+ "id": "bundle--04f78dfe-25c8-446c-b9bd-7332731c123c",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T19:16:20.286Z",
- "description": "Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).",
+ "modified": "2025-04-16T23:02:34.273Z",
+ "description": "Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see [Service Stop Mitigation](https://attack.mitre.org/mitigations/T1489).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc.json b/ics-attack/relationship/relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc.json
index 7f1b1385a8..cdc571e89e 100644
--- a/ics-attack/relationship/relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc.json
+++ b/ics-attack/relationship/relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--84a46f77-7720-49d8-af4e-69e4d1a8542b",
+ "id": "bundle--2e9fd4db-cdb0-4b2a-a219-d650bdbe0b7f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc",
"created": "2023-03-10T20:30:43.206Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-10T20:30:43.206Z",
+ "modified": "2025-04-16T23:02:34.481Z",
"description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.(Citation: Marshall Abrams July 2008)",
"relationship_type": "uses",
"source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e.json b/ics-attack/relationship/relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e.json
index 7ec2ece783..308f6bdc9b 100644
--- a/ics-attack/relationship/relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e.json
+++ b/ics-attack/relationship/relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a45a5f77-aeae-406f-a6a6-6ecfd95681b9",
+ "id": "bundle--f393db92-dfb5-4364-952c-2d229e819bbb",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:40:41.495Z",
+ "modified": "2025-04-16T23:02:34.706Z",
"description": "Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
"target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba.json b/ics-attack/relationship/relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba.json
index 365c2b4116..7727bf4f1f 100644
--- a/ics-attack/relationship/relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba.json
+++ b/ics-attack/relationship/relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--18f5fba1-5bc8-4f31-84f0-a7a09b6d231b",
+ "id": "bundle--3fda63fb-54dc-4e42-b8a9-2e6510618aa4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba",
"created": "2023-09-28T20:07:36.295Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:07:36.295Z",
+ "modified": "2025-04-16T23:02:35.030Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json b/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json
index 0def1b0fc0..97b289439d 100644
--- a/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json
+++ b/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--b8933abd-7740-431d-870b-bb3e6f1b4275",
+ "id": "bundle--e587dcf0-b315-43c3-b92d-ac8f1db5a92e",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.180Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:35.227Z",
"description": "All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
"target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5b14c813-09e2-4709-ab42-94830cf9538c.json b/ics-attack/relationship/relationship--5b14c813-09e2-4709-ab42-94830cf9538c.json
index 7a1b6522f6..ad093efa70 100644
--- a/ics-attack/relationship/relationship--5b14c813-09e2-4709-ab42-94830cf9538c.json
+++ b/ics-attack/relationship/relationship--5b14c813-09e2-4709-ab42-94830cf9538c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8bf2f545-3a49-4b54-b9b6-75e0c5ae954c",
+ "id": "bundle--e1fc034a-bfda-44c9-b1f6-5ca98e599bde",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5b14c813-09e2-4709-ab42-94830cf9538c",
"created": "2023-09-29T18:42:39.876Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:42:39.876Z",
+ "modified": "2025-04-16T23:02:35.448Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5b701c8d-374a-4a6b-a695-b5c7a747ceb2.json b/ics-attack/relationship/relationship--5b701c8d-374a-4a6b-a695-b5c7a747ceb2.json
new file mode 100644
index 0000000000..52fc58788f
--- /dev/null
+++ b/ics-attack/relationship/relationship--5b701c8d-374a-4a6b-a695-b5c7a747ceb2.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--48b5d0bb-ba3b-4106-ad8a-b501b70bcbcb",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--5b701c8d-374a-4a6b-a695-b5c7a747ceb2",
+ "created": "2024-11-20T23:09:31.950Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Dragos FROSTYGOOP 2024",
+ "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
+ "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:35.656Z",
+ "description": "[FrostyGoop](https://attack.mitre.org/software/S1165) can read data from holding registers via Modbus communication.(Citation: Dragos FROSTYGOOP 2024)",
+ "relationship_type": "uses",
+ "source_ref": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05",
+ "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json b/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json
index 0c580b1a3e..bc387b1350 100644
--- a/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json
+++ b/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ab2ecf44-764c-4609-af25-a1c4897312b4",
+ "id": "bundle--f794ba7d-a5ec-4842-b594-c1e5c9bf9dbf",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:19:26.117Z",
+ "modified": "2025-04-16T23:02:35.883Z",
"description": "Execution of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) relies on a user opening a trojanized installer attached to an email. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) (Citation: Kyle Wilhoit)",
"relationship_type": "uses",
"source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json b/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json
index ee35d96d43..b424098f97 100644
--- a/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json
+++ b/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--aa233e28-2e2d-4983-9fbf-6007aef482c4",
+ "id": "bundle--7a812cac-bdd7-4b15-9869-3ce3eacb32d9",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.209Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:36.101Z",
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc",
"target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5beda54d-cd1f-491b-a85e-d7618a0683ad.json b/ics-attack/relationship/relationship--5beda54d-cd1f-491b-a85e-d7618a0683ad.json
index 4dc4efe9b8..8b092f4eb9 100644
--- a/ics-attack/relationship/relationship--5beda54d-cd1f-491b-a85e-d7618a0683ad.json
+++ b/ics-attack/relationship/relationship--5beda54d-cd1f-491b-a85e-d7618a0683ad.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--16a3c3d6-37f2-4536-bb36-21efdf4e73f5",
+ "id": "bundle--b5fffd4e-b73b-42af-9026-d39231284f8d",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-10T15:01:00.075Z",
+ "modified": "2025-04-16T23:02:36.327Z",
"description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) tripped a controller into a failed safe state, which caused an automatic shutdown of the plant, this resulted in a pause of plant operations for more than a week. Thereby impacting industrial processes and halting productivity.(Citation: FireEye TRITON Dec 2017)",
"relationship_type": "uses",
"source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
"target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json b/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json
index 3a73084b57..935e123430 100644
--- a/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json
+++ b/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e65d5a08-0d62-45d6-9e45-4e11d60eff23",
+ "id": "bundle--ee03cf56-beaa-4150-8dff-03052f812f25",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:39:05.432Z",
+ "modified": "2025-04-16T23:02:36.538Z",
"description": "Provide the ability to verify the integrity and authenticity of changes to parameter values.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
"target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json b/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json
index 6fb8d6a701..4b29014746 100644
--- a/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json
+++ b/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b231250a-c637-4c70-b13b-1aaba770c92f",
+ "id": "bundle--dcd788c6-2664-4b8d-9704-a35d777e509c",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:01:18.283Z",
+ "modified": "2025-04-16T23:02:36.747Z",
"description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)",
"relationship_type": "uses",
"source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe",
"target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5c61c8a2-bfff-43fb-8397-bff864413d74.json b/ics-attack/relationship/relationship--5c61c8a2-bfff-43fb-8397-bff864413d74.json
index 90fd59d503..92d480e64d 100644
--- a/ics-attack/relationship/relationship--5c61c8a2-bfff-43fb-8397-bff864413d74.json
+++ b/ics-attack/relationship/relationship--5c61c8a2-bfff-43fb-8397-bff864413d74.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--dbe6ef31-a017-4651-b378-bba19cffcb5a",
+ "id": "bundle--f71462c4-bc75-43af-9564-bfa4e318c4ac",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5c61c8a2-bfff-43fb-8397-bff864413d74",
"created": "2023-09-29T17:06:09.673Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:06:09.673Z",
+ "modified": "2025-04-16T23:02:36.954Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5c695f49-6c76-4818-88b6-4db2bf029e43.json b/ics-attack/relationship/relationship--5c695f49-6c76-4818-88b6-4db2bf029e43.json
index 1588211d94..23a569bb98 100644
--- a/ics-attack/relationship/relationship--5c695f49-6c76-4818-88b6-4db2bf029e43.json
+++ b/ics-attack/relationship/relationship--5c695f49-6c76-4818-88b6-4db2bf029e43.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a8fed343-4807-4768-88a2-7cd73509e5fb",
+ "id": "bundle--001e76a2-c0d3-4c07-a308-9706d9bdd4ce",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T17:38:22.073Z",
+ "modified": "2025-04-16T23:02:37.164Z",
"description": "Monitor for file creation in conjunction with other techniques (e.g., file transfers using [Remote Services](https://attack.mitre.org/techniques/T0886)).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5c8c8976-2cac-4185-9719-ef55c1032d6a.json b/ics-attack/relationship/relationship--5c8c8976-2cac-4185-9719-ef55c1032d6a.json
new file mode 100644
index 0000000000..5a9eb72636
--- /dev/null
+++ b/ics-attack/relationship/relationship--5c8c8976-2cac-4185-9719-ef55c1032d6a.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--599c8645-d72a-400d-9120-353a4b4f3f64",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--5c8c8976-2cac-4185-9719-ef55c1032d6a",
+ "created": "2024-11-20T23:06:24.432Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Dragos FROSTYGOOP 2024",
+ "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
+ "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:37.377Z",
+ "description": "[FrostyGoop](https://attack.mitre.org/software/S1165) utilizes the Modbus protocol for transmitting commands to victim devices.(Citation: Dragos FROSTYGOOP 2024)",
+ "relationship_type": "uses",
+ "source_ref": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05",
+ "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json b/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json
index 91831d0e75..ee66542290 100644
--- a/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json
+++ b/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--6da94aa8-1f0e-4181-831c-c36504277c5d",
+ "id": "bundle--772ae097-b97c-4db9-9a14-d2fb0eb02b06",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.182Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:37.627Z",
"description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json b/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json
index a66c4d8632..aaee467a81 100644
--- a/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json
+++ b/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--e200b01d-3420-4db0-ba41-6d7d34ab2862",
+ "id": "bundle--7a2434f7-6873-4cc7-9a23-0bb4514b6fb5",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.094Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:37.868Z",
"description": "System and process restarts should be performed when a timeout condition occurs.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53",
"target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json b/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json
index 5d5ffd1c40..6a16a89d19 100644
--- a/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json
+++ b/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--b3e9d7e2-7222-4810-9fe3-cf76a4241331",
+ "id": "bundle--bcda210f-a6ff-458d-b942-9e6bf408649f",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--5d33de22-35b0-47fa-bc63-f984522340b7",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--5d33de22-35b0-47fa-bc63-f984522340b7",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.068Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:38.092Z",
"description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a",
"target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json b/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json
index 051b83876b..8b62da658a 100644
--- a/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json
+++ b/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d8402cc0-59ac-4552-ae1e-baa93e2c70bd",
+ "id": "bundle--a7758b0a-91f3-4722-b518-19e4e30b5dcf",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T13:48:51.528Z",
+ "modified": "2025-04-16T23:02:38.316Z",
"description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json b/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json
index 50d46a8492..c1d2cfd48f 100644
--- a/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json
+++ b/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--0bd0872d-8c2c-4b71-80a7-c23cb3443dd9",
+ "id": "bundle--5d7a8403-8bf1-4483-a5ad-752bc61150f0",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.201Z",
- "relationship_type": "mitigates",
- "description": "Audit the integrity of PLC system and application code functionality, such as the manipulation of standard function blocks (e.g., Organizational Blocks) that manage the execution of application logic programs. (Citation: IEC February 2019)\n",
- "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
- "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "IEC February 2019",
@@ -23,9 +15,16 @@
"url": "https://webstore.iec.ch/publication/34421"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:38.521Z",
+ "description": "Audit the integrity of PLC system and application code functionality, such as the manipulation of standard function blocks (e.g., Organizational Blocks) that manage the execution of application logic programs. (Citation: IEC February 2019)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
+ "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json b/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json
index 990bca4982..e939b851f9 100644
--- a/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json
+++ b/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--ab89f8f3-7e10-4411-9aee-f41f3d6551b6",
+ "id": "bundle--a1ef2c84-6e5b-42d3-b4ba-c47c19b32b7f",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.235Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:38.750Z",
"description": "Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json b/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json
index 903a25dc59..ce3b1945fc 100644
--- a/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json
+++ b/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c4729ffd-e8c6-49df-872e-1b14ffd4cab0",
+ "id": "bundle--5d8c7f31-af27-4531-a116-a07fde0ff729",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:05:04.619Z",
+ "modified": "2025-04-16T23:02:38.960Z",
"description": "[REvil](https://attack.mitre.org/software/S0496) searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. (Citation: Tom Fakterman August 2019)",
"relationship_type": "uses",
"source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5e324da5-0fee-4dac-b289-410d560e03e9.json b/ics-attack/relationship/relationship--5e324da5-0fee-4dac-b289-410d560e03e9.json
index cb3c5dff3e..ac1c5984dc 100644
--- a/ics-attack/relationship/relationship--5e324da5-0fee-4dac-b289-410d560e03e9.json
+++ b/ics-attack/relationship/relationship--5e324da5-0fee-4dac-b289-410d560e03e9.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2446251a-f2da-4340-a499-cc710f0e24ef",
+ "id": "bundle--f1ed07cd-8119-4932-9033-b6b816d78178",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5e324da5-0fee-4dac-b289-410d560e03e9",
"created": "2023-09-28T19:46:49.255Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:46:49.255Z",
+ "modified": "2025-04-16T23:02:39.172Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb.json b/ics-attack/relationship/relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb.json
index 434abb3ee1..48f3e1c341 100644
--- a/ics-attack/relationship/relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb.json
+++ b/ics-attack/relationship/relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d71b707c-4827-4456-ba44-0a2d0de8778a",
+ "id": "bundle--570188cf-4da7-4676-85dc-747f2c4e9d76",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb",
"created": "2023-09-28T20:16:28.582Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:16:28.582Z",
+ "modified": "2025-04-16T23:02:39.400Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json b/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json
index 86222ae795..16a6843c33 100644
--- a/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json
+++ b/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--0cede577-ff66-4f4c-9c7b-8684c897995e",
+ "id": "bundle--4efaa720-212a-47e4-8992-11418455f448",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--5f03ee5d-534c-454c-aae3-b41130b00286",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-04-13T12:08:26.506Z",
- "modified": "2022-05-06T17:47:24.117Z",
- "relationship_type": "mitigates",
- "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n",
- "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea",
- "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Dan Goodin March 2017",
@@ -23,9 +15,16 @@
"url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:39.624Z",
+ "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea",
+ "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json b/ics-attack/relationship/relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json
index 52b27708ca..30ac6f1ace 100644
--- a/ics-attack/relationship/relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json
+++ b/ics-attack/relationship/relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--69e2bb52-867b-4d45-b4ce-a7e219ceb8b3",
+ "id": "bundle--74ee87db-e252-47e4-b4b7-c5be1ac1efcd",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0",
"created": "2023-09-25T20:49:49.605Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:49:49.605Z",
+ "modified": "2025-04-16T23:02:39.867Z",
"description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and\u00a0User Account Management.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--5ff26c96-c610-4669-b44e-d6318205be5a.json b/ics-attack/relationship/relationship--5ff26c96-c610-4669-b44e-d6318205be5a.json
index 4a5ccc43fb..678e113762 100644
--- a/ics-attack/relationship/relationship--5ff26c96-c610-4669-b44e-d6318205be5a.json
+++ b/ics-attack/relationship/relationship--5ff26c96-c610-4669-b44e-d6318205be5a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3aa020ed-fdc2-4dc6-91a8-d0f35796f3d9",
+ "id": "bundle--3153bc8b-ae2e-4f17-8fcb-ae9a6fbbb004",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--5ff26c96-c610-4669-b44e-d6318205be5a",
"created": "2023-09-29T16:43:28.841Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:43:28.841Z",
+ "modified": "2025-04-16T23:02:40.092Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--600f0115-94e3-49bf-afa6-0180b3367b94.json b/ics-attack/relationship/relationship--600f0115-94e3-49bf-afa6-0180b3367b94.json
index 89c3b8d946..d6a92c86f9 100644
--- a/ics-attack/relationship/relationship--600f0115-94e3-49bf-afa6-0180b3367b94.json
+++ b/ics-attack/relationship/relationship--600f0115-94e3-49bf-afa6-0180b3367b94.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--07ccaad1-b01f-4e13-98cc-a3e85a51623f",
+ "id": "bundle--f9356439-bcc9-4f3d-b1d5-4331b69495b5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--600f0115-94e3-49bf-afa6-0180b3367b94",
"created": "2023-09-28T20:06:15.180Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:06:15.180Z",
+ "modified": "2025-04-16T23:02:40.318Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json b/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json
index 53e62db561..272bd68df9 100644
--- a/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json
+++ b/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--7bc7baf2-abfe-4246-b9f4-4f8d58db7ed7",
+ "id": "bundle--bb1cf442-bf67-44f1-9bd6-0310cd894419",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--604a9bf0-81a3-425b-9005-779c4f0f749d",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--604a9bf0-81a3-425b-9005-779c4f0f749d",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.195Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:40.518Z",
"description": "Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce",
"target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024.json b/ics-attack/relationship/relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024.json
index 67f27798d6..ae990aa160 100644
--- a/ics-attack/relationship/relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024.json
+++ b/ics-attack/relationship/relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--13431e8c-887a-4591-9327-65df75b7a9fc",
+ "id": "bundle--3374fd8e-f0d8-48c9-8a9b-07f4f20dca60",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024",
"created": "2023-09-29T18:07:18.253Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:07:18.253Z",
+ "modified": "2025-04-16T23:02:40.768Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--605f3853-b007-4134-8a2d-6a81a35e7676.json b/ics-attack/relationship/relationship--605f3853-b007-4134-8a2d-6a81a35e7676.json
index a09d4ca84d..0791c146c9 100644
--- a/ics-attack/relationship/relationship--605f3853-b007-4134-8a2d-6a81a35e7676.json
+++ b/ics-attack/relationship/relationship--605f3853-b007-4134-8a2d-6a81a35e7676.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a1895377-6f1c-4879-a383-d24b1d85c530",
+ "id": "bundle--4f46e288-0921-43e3-b340-efab42b3fb07",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--605f3853-b007-4134-8a2d-6a81a35e7676",
"created": "2023-09-29T18:48:05.559Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:48:05.559Z",
+ "modified": "2025-04-16T23:02:40.983Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6067c069-8e93-4bf0-bb49-97538d55c3de.json b/ics-attack/relationship/relationship--6067c069-8e93-4bf0-bb49-97538d55c3de.json
index a4f62bb7c6..43848980e0 100644
--- a/ics-attack/relationship/relationship--6067c069-8e93-4bf0-bb49-97538d55c3de.json
+++ b/ics-attack/relationship/relationship--6067c069-8e93-4bf0-bb49-97538d55c3de.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8f823de6-8cd5-46ae-9ed5-f0397264a69c",
+ "id": "bundle--ac4ac2f8-c28b-41b6-8232-06a86aa72dca",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6067c069-8e93-4bf0-bb49-97538d55c3de",
"created": "2024-04-09T20:58:32.884Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:58:32.884Z",
+ "modified": "2025-04-16T23:02:41.206Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6157408d-1eb3-4445-8d8a-14619458954f.json b/ics-attack/relationship/relationship--6157408d-1eb3-4445-8d8a-14619458954f.json
index 7b09f0c6d7..ede96733d0 100644
--- a/ics-attack/relationship/relationship--6157408d-1eb3-4445-8d8a-14619458954f.json
+++ b/ics-attack/relationship/relationship--6157408d-1eb3-4445-8d8a-14619458954f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--cfdcc919-1730-4574-ab0c-edd3816ab368",
+ "id": "bundle--a5218dfa-bad1-4818-8afb-832693cafb4a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6157408d-1eb3-4445-8d8a-14619458954f",
"created": "2022-09-27T15:26:40.297Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T15:26:40.297Z",
+ "modified": "2025-04-16T23:02:41.418Z",
"description": "Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) may be helpful in identifying transient assets.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json b/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json
index d7a76781bc..f60391332a 100644
--- a/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json
+++ b/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--bdd8dda8-892f-464a-847b-458756f1b59b",
+ "id": "bundle--45626339-2b67-4c18-942a-8f812d972109",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.199Z",
- "relationship_type": "mitigates",
- "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Karen Scarfone; Paul Hoffman September 2009",
@@ -38,9 +30,16 @@
"url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:41.643Z",
+ "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--61869a8e-d6da-478a-b770-47f97beae8b4.json b/ics-attack/relationship/relationship--61869a8e-d6da-478a-b770-47f97beae8b4.json
index de9a3270cc..890335af25 100644
--- a/ics-attack/relationship/relationship--61869a8e-d6da-478a-b770-47f97beae8b4.json
+++ b/ics-attack/relationship/relationship--61869a8e-d6da-478a-b770-47f97beae8b4.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--66bee22b-7879-4623-b8d8-45e819097613",
+ "id": "bundle--f84fd899-6d06-426e-8680-21d1a850c021",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--61869a8e-d6da-478a-b770-47f97beae8b4",
"created": "2024-08-15T21:59:43.124Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-08-15T21:59:43.124Z",
+ "modified": "2025-04-16T22:19:06.690Z",
"description": "[VPNFilter](https://attack.mitre.org/software/S1010) is associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) operations based on reporting on [VPNFilter](https://attack.mitre.org/software/S1010) replacement software, [Cyclops Blink](https://attack.mitre.org/software/S0687).(Citation: NCSC CISA Cyclops Blink Advisory February 2022)",
"relationship_type": "uses",
"source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
"target_ref": "malware--6108f800-10b8-4090-944e-be579f01263d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json b/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json
index 02fdb55957..f78fc3fd78 100644
--- a/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json
+++ b/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f4eb49e7-7114-44f7-a404-c353a982e74c",
+ "id": "bundle--a7b63aab-0ba6-4167-9411-5fed37b1475e",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:58:23.141Z",
+ "modified": "2025-04-16T23:02:42.032Z",
"description": "[NotPetya](https://attack.mitre.org/software/S0368) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)",
"relationship_type": "uses",
"source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--62abe387-10a2-414b-881c-060b70db2157.json b/ics-attack/relationship/relationship--62abe387-10a2-414b-881c-060b70db2157.json
index c9145d7b3d..d9c5aa9af8 100644
--- a/ics-attack/relationship/relationship--62abe387-10a2-414b-881c-060b70db2157.json
+++ b/ics-attack/relationship/relationship--62abe387-10a2-414b-881c-060b70db2157.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--85dc7da2-889b-4301-8505-1759821220a1",
+ "id": "bundle--aef9af46-e745-4605-bc99-0a4242d6b9f0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--62abe387-10a2-414b-881c-060b70db2157",
"created": "2023-09-28T20:08:39.992Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:08:39.992Z",
+ "modified": "2025-04-16T23:02:42.273Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json b/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json
index 0b8e200f7f..f8d1571b86 100644
--- a/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json
+++ b/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c3ade611-ffa2-49e9-8f3b-f97087f8a37f",
+ "id": "bundle--10fee05d-3773-47c8-94ef-dcefb9d25d55",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-17T15:22:56.606Z",
+ "modified": "2025-04-16T23:02:42.480Z",
"description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 component sends the domain-specific MMSgetNameList request to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604)'s OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604) IEC 60870-5-104 module includes a range mode to discover Information Object Addresses (IOAs) by enumerating through each.(Citation: ESET Industroyer)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--630eb861-eb37-4258-9dbd-87789df2257a.json b/ics-attack/relationship/relationship--630eb861-eb37-4258-9dbd-87789df2257a.json
index f36cdcfef3..90a05a65e0 100644
--- a/ics-attack/relationship/relationship--630eb861-eb37-4258-9dbd-87789df2257a.json
+++ b/ics-attack/relationship/relationship--630eb861-eb37-4258-9dbd-87789df2257a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3d3ac153-0400-450c-a61f-fb3ccdecff21",
+ "id": "bundle--4e5eae6b-8b57-43e1-a300-b31e5b12c83a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--630eb861-eb37-4258-9dbd-87789df2257a",
"created": "2024-03-26T15:41:26.772Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-26T15:41:26.772Z",
+ "modified": "2025-04-16T23:02:42.705Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json b/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json
index 53250c86c6..bdd6e047c1 100644
--- a/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json
+++ b/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json
@@ -1,22 +1,22 @@
{
"type": "bundle",
- "id": "bundle--0eaecf6f-9c77-44d7-bb8d-401d6fbceffb",
+ "id": "bundle--e07e4ad3-82e8-4195-82ae-09f758b57ef0",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb",
+ "created": "2018-10-17T00:14:20.652Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb",
- "type": "relationship",
- "created": "2018-10-17T00:14:20.652Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2018-10-17T00:14:20.652Z",
+ "modified": "2025-04-16T22:19:32.664Z",
"relationship_type": "revoked-by",
"source_ref": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d",
- "x_mitre_version": "1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json b/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json
index d6de356421..138aa34f9b 100644
--- a/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json
+++ b/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--97690797-7d3c-4f8e-bd82-383daabe5002",
+ "id": "bundle--15fed73b-a7e4-450a-a5cd-5d7f89ad4344",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--63323b12-86db-4b91-a701-90daf3f98f7c",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--63323b12-86db-4b91-a701-90daf3f98f7c",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.122Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:43.023Z",
"description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
"target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json b/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json
index 56f4f0a98c..95990afda1 100644
--- a/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json
+++ b/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e24c97e9-dff7-4228-9f63-4bb9c7afe9a7",
+ "id": "bundle--6a517926-f3ec-4852-b585-e6061a401311",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:25:01.756Z",
+ "modified": "2025-04-16T23:02:43.267Z",
"description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918)",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2.json b/ics-attack/relationship/relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2.json
index e08699db81..1eb00dba4e 100644
--- a/ics-attack/relationship/relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2.json
+++ b/ics-attack/relationship/relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7f48e306-1cee-4711-bc06-7f5d93f161f0",
+ "id": "bundle--a156c684-6500-4563-8b9c-828663b79bac",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T16:53:22.510Z",
- "description": "Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.",
+ "modified": "2025-04-16T23:02:43.496Z",
+ "description": "Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see [Masquerading Mitigation](https://attack.mitre.org/mitigations/T1036) and applicable sub-techniques.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json b/ics-attack/relationship/relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json
index f8cf8ec1a8..aa88f5a890 100644
--- a/ics-attack/relationship/relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json
+++ b/ics-attack/relationship/relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--df583b7d-54dd-43ba-9e6b-b3d606bd25d1",
+ "id": "bundle--7d4f7dce-15cd-4a9d-a691-8d320ac095d2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b",
"created": "2023-09-29T17:44:55.599Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:44:55.599Z",
+ "modified": "2025-04-16T23:02:43.745Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json b/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json
index 7183376cda..3943e0098d 100644
--- a/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json
+++ b/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d6f0a524-35cb-446a-83a3-cbdd0cd38dec",
+ "id": "bundle--5af7e61b-2721-44ff-9b58-85a74f9590fa",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:25:29.480Z",
+ "modified": "2025-04-16T23:02:43.943Z",
"description": "[Triton](https://attack.mitre.org/software/S1009)'s argument-setting and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. (Citation: DHS CISA February 2019) (Citation: Jos Wetzels January 2018)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json b/ics-attack/relationship/relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json
index f9f1f75279..9d0d964193 100644
--- a/ics-attack/relationship/relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json
+++ b/ics-attack/relationship/relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8c51b75b-2e50-4cf8-b2a8-2f0331caef38",
+ "id": "bundle--ae67e69f-cbad-4470-969a-c414af4e0856",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3",
"created": "2023-09-29T16:43:05.495Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:43:05.495Z",
+ "modified": "2025-04-16T23:02:44.216Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--642cae89-bb5c-46f3-9fea-8d747b930c35.json b/ics-attack/relationship/relationship--642cae89-bb5c-46f3-9fea-8d747b930c35.json
index 88e3917ec9..54154d3f7c 100644
--- a/ics-attack/relationship/relationship--642cae89-bb5c-46f3-9fea-8d747b930c35.json
+++ b/ics-attack/relationship/relationship--642cae89-bb5c-46f3-9fea-8d747b930c35.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ecde89f8-1dd2-41c1-98bd-640694b9874c",
+ "id": "bundle--858c4c30-1515-4e97-af03-7a9943ccdb0a",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-05T22:03:14.174Z",
+ "modified": "2025-04-16T23:02:44.432Z",
"description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's affected rivers.(Citation: Marshall Abrams July 2008)",
"relationship_type": "uses",
"source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json b/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json
index 112b590786..a51cfba786 100644
--- a/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json
+++ b/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--26923996-2531-4f0c-8a15-19feb60defed",
+ "id": "bundle--87ffd677-e6f7-485c-98c3-99bc7c73a09c",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:17:15.157Z",
+ "modified": "2025-04-16T23:02:44.640Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604) uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json b/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json
index 3f500836d3..f5cf93222a 100644
--- a/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json
+++ b/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--551b664e-d06e-46e5-bf1b-2ae21d14a982",
+ "id": "bundle--19fb80c6-6838-432c-9e91-46e3706c2a12",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--64db6a39-64d2-4999-97d7-91c28c32f42e",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--64db6a39-64d2-4999-97d7-91c28c32f42e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.101Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:44.867Z",
"description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json b/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json
index 2907986ea4..a7662e866f 100644
--- a/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json
+++ b/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--601e63ff-77d0-4881-8aad-8bb925fd7f5e",
+ "id": "bundle--85c9e1c1-5f07-4fb2-9b61-7f8e01743feb",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.198Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:45.085Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--652c1e77-cfea-4452-9762-5ba16f874119.json b/ics-attack/relationship/relationship--652c1e77-cfea-4452-9762-5ba16f874119.json
index ba3decf722..2b78007025 100644
--- a/ics-attack/relationship/relationship--652c1e77-cfea-4452-9762-5ba16f874119.json
+++ b/ics-attack/relationship/relationship--652c1e77-cfea-4452-9762-5ba16f874119.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b8c1af56-7114-49b6-bd46-7a84775a2523",
+ "id": "bundle--c6763110-ff3a-4cab-8084-078e514d3708",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--652c1e77-cfea-4452-9762-5ba16f874119",
"created": "2023-09-29T17:58:42.002Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:58:42.002Z",
+ "modified": "2025-04-16T23:02:45.324Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba.json b/ics-attack/relationship/relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba.json
index bfd9094d80..eaae9b13f4 100644
--- a/ics-attack/relationship/relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba.json
+++ b/ics-attack/relationship/relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3e62bc92-b4f6-443f-9f14-67996c3ea869",
+ "id": "bundle--2f08a5f4-e19d-4883-bbb4-84f635b0bd39",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:49:07.316Z",
+ "modified": "2025-04-16T23:02:45.540Z",
"description": "Monitor device alarms that indicate the devices has been placed into Firmware Update Mode, although not all devices produce such alarms.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6573327e-3757-424e-8570-04ffe7d5d0e2.json b/ics-attack/relationship/relationship--6573327e-3757-424e-8570-04ffe7d5d0e2.json
index fbf03b4d0a..7c6b5d6707 100644
--- a/ics-attack/relationship/relationship--6573327e-3757-424e-8570-04ffe7d5d0e2.json
+++ b/ics-attack/relationship/relationship--6573327e-3757-424e-8570-04ffe7d5d0e2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--15475761-2d43-459d-8f11-6950bb3a8412",
+ "id": "bundle--91967c69-5e2e-47b2-9d19-a8051390dbf5",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-27T15:22:13.576Z",
+ "modified": "2025-04-16T23:02:45.770Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used port 443 to communicate with their C2 servers. (Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json b/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json
index 25c3e47260..f8a5b8faac 100644
--- a/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json
+++ b/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--86689068-d45a-4211-afe9-bab67f2eee44",
+ "id": "bundle--3c49dcf6-19e4-4236-b150-0d9fbaa1d892",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--65a45501-10de-46a2-89bf-03bbf17aba33",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--65a45501-10de-46a2-89bf-03bbf17aba33",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.166Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:46.003Z",
"description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--65aa5a0d-926c-4b04-9509-f66a99639877.json b/ics-attack/relationship/relationship--65aa5a0d-926c-4b04-9509-f66a99639877.json
index ea7260c16e..09765f5d65 100644
--- a/ics-attack/relationship/relationship--65aa5a0d-926c-4b04-9509-f66a99639877.json
+++ b/ics-attack/relationship/relationship--65aa5a0d-926c-4b04-9509-f66a99639877.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a1cba6b1-e40f-4200-bd99-f22d8693f46c",
+ "id": "bundle--050740e6-3017-4153-af4b-35ec319ee828",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--65aa5a0d-926c-4b04-9509-f66a99639877",
"created": "2023-09-29T17:41:34.892Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:41:34.892Z",
+ "modified": "2025-04-16T23:02:46.215Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json b/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json
index c99129945c..bb99ef2fdc 100644
--- a/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json
+++ b/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3f624a87-de15-4eb5-97b3-33df3256151c",
+ "id": "bundle--d7d69d59-11e4-465e-ab60-236aa0f54d19",
"spec_version": "2.0",
"objects": [
{
@@ -34,15 +34,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-12-04T20:49:01.034Z",
+ "modified": "2025-04-16T22:20:08.790Z",
"description": "(Citation: IBM Ransomware Trends September 2020)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: FBI Flash FIN7 USB)(Citation: Microsoft Ransomware as a Service)",
"relationship_type": "uses",
"source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc",
"target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5.json b/ics-attack/relationship/relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5.json
index 4de74a2eaf..e882f9f2b4 100644
--- a/ics-attack/relationship/relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5.json
+++ b/ics-attack/relationship/relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--73793838-09ae-4045-86bd-9b2dad589583",
+ "id": "bundle--be8266fa-125a-4f1c-b320-bfdb0ab68c23",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5",
"created": "2023-09-28T21:25:34.304Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:25:34.304Z",
+ "modified": "2025-04-16T23:02:46.527Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2.json b/ics-attack/relationship/relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2.json
index 21828db288..04cbdfcfee 100644
--- a/ics-attack/relationship/relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2.json
+++ b/ics-attack/relationship/relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--840460d1-a2dd-458b-aa77-bc1797be7b77",
+ "id": "bundle--b5b60c34-1850-4d71-9765-6f1e8308b212",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2",
"created": "2023-10-02T20:18:54.267Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:18:54.267Z",
+ "modified": "2025-04-16T23:02:46.764Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json b/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json
index 9b4deca251..55bb764b79 100644
--- a/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json
+++ b/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b47a71b5-9066-4636-8ffa-472b264cf976",
+ "id": "bundle--4cb4bf0e-30a8-46f8-918b-655c3be1eef1",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:58:42.847Z",
+ "modified": "2025-04-16T23:02:46.983Z",
"description": "[NotPetya](https://attack.mitre.org/software/S0368) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)",
"relationship_type": "uses",
"source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb",
"target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json b/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json
index c8c79f09e5..3c818d9a1b 100644
--- a/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json
+++ b/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--5955ee5d-0b27-4d3b-b7d0-02291b7c9bb2",
+ "id": "bundle--ba869448-97fc-48b0-95d9-b04d67ad5aa4",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--6637d8e6-6578-4d15-a993-d63ced4c4464",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--6637d8e6-6578-4d15-a993-d63ced4c4464",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.099Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:47.198Z",
"description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--665587ee-1524-4334-9580-2b448c417542.json b/ics-attack/relationship/relationship--665587ee-1524-4334-9580-2b448c417542.json
index 79e42de5cb..fe05043746 100644
--- a/ics-attack/relationship/relationship--665587ee-1524-4334-9580-2b448c417542.json
+++ b/ics-attack/relationship/relationship--665587ee-1524-4334-9580-2b448c417542.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--502621a2-fd28-44c6-91f9-149d657c2bf9",
+ "id": "bundle--b42878cc-9085-457e-ba88-bc4b5a67737e",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-06T22:09:44.559Z",
+ "modified": "2025-04-16T23:02:47.442Z",
"description": "[Industroyer2](https://attack.mitre.org/software/S1072) modifies specified Information Object Addresses (IOAs) for specified Application Service Data Unit (ASDU) addresses to either the ON or OFF state.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)",
"relationship_type": "uses",
"source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
"target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--66738beb-0a33-4d70-baec-8307b5b34f80.json b/ics-attack/relationship/relationship--66738beb-0a33-4d70-baec-8307b5b34f80.json
index ad76376cc1..3ec6a0521f 100644
--- a/ics-attack/relationship/relationship--66738beb-0a33-4d70-baec-8307b5b34f80.json
+++ b/ics-attack/relationship/relationship--66738beb-0a33-4d70-baec-8307b5b34f80.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e200afbe-3807-4616-ba29-0413a3b51506",
+ "id": "bundle--b59ee792-2f86-47a5-9721-98638f323e81",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--66738beb-0a33-4d70-baec-8307b5b34f80",
"created": "2023-09-28T20:16:05.975Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:16:05.975Z",
+ "modified": "2025-04-16T23:02:47.650Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json b/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json
index db8522b684..75398c459a 100644
--- a/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json
+++ b/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f6a00605-8884-449c-b6f1-7ffc9d9c27e5",
+ "id": "bundle--03c1a119-f952-434d-b06a-3101cdef0d6b",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.438Z",
+ "modified": "2025-04-16T23:02:47.871Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can brute force password-based authentication to Schneider PLCs over the CODESYS protocol (UDP port 1740).(Citation: CISA-AA22-103A)\n\n [INCONTROLLER](https://attack.mitre.org/software/S1045) can perform brute force guessing of passwords to OPC UA servers using a predefined list of passwords.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d.json b/ics-attack/relationship/relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d.json
index 47270b8cf2..a75c92ab3c 100644
--- a/ics-attack/relationship/relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d.json
+++ b/ics-attack/relationship/relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--f31dd9ec-3300-49dc-b646-a16f5bc31969",
+ "id": "bundle--07a0a149-7716-4332-9719-0aad194e26a9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d",
"created": "2023-03-10T20:32:02.472Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-10T20:32:02.472Z",
+ "modified": "2025-04-16T23:02:48.099Z",
"description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed for changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.(Citation: Marshall Abrams July 2008)",
"relationship_type": "uses",
"source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json b/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json
index d7b8f29f65..8f76d79d48 100644
--- a/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json
+++ b/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8a2f01a3-fcbb-456b-87ab-e790df9e8450",
+ "id": "bundle--134149ee-ed41-42fe-962a-92dae4737acf",
"spec_version": "2.0",
"objects": [
{
@@ -29,15 +29,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.440Z",
+ "modified": "2025-04-16T23:02:48.321Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.(Citation: Dragos-Pipedream)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.(Citation: CISA-AA22-103A)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.(Citation: Wylie-22)",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json b/ics-attack/relationship/relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json
index 7805581f4f..161ef5124f 100644
--- a/ics-attack/relationship/relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json
+++ b/ics-attack/relationship/relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--882e30f7-dbf4-42ec-9a03-22c6a438d8a4",
+ "id": "bundle--fdb32214-4b73-4271-a5d4-b6bd705ea81e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702",
"created": "2023-09-29T17:43:31.956Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:43:31.956Z",
+ "modified": "2025-04-16T23:02:48.549Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--66d637a0-4874-4b12-bd3a-b408acb06d26.json b/ics-attack/relationship/relationship--66d637a0-4874-4b12-bd3a-b408acb06d26.json
index 8b4f3d9db2..7c777de340 100644
--- a/ics-attack/relationship/relationship--66d637a0-4874-4b12-bd3a-b408acb06d26.json
+++ b/ics-attack/relationship/relationship--66d637a0-4874-4b12-bd3a-b408acb06d26.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ac413133-dd88-434a-9300-1818f7190b47",
+ "id": "bundle--cdfbeda6-b770-4fbc-8244-8de596f52eec",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:53:54.118Z",
+ "modified": "2025-04-16T23:02:48.765Z",
"description": "Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--66d8f3d7-68e0-48a0-a563-4746922080fc.json b/ics-attack/relationship/relationship--66d8f3d7-68e0-48a0-a563-4746922080fc.json
index 5a03da80e0..bdc074439d 100644
--- a/ics-attack/relationship/relationship--66d8f3d7-68e0-48a0-a563-4746922080fc.json
+++ b/ics-attack/relationship/relationship--66d8f3d7-68e0-48a0-a563-4746922080fc.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--62952819-dcc6-4321-b045-3fbfd519d7e1",
+ "id": "bundle--d2c1a090-41b0-4824-8473-00aadbf935e1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--66d8f3d7-68e0-48a0-a563-4746922080fc",
"created": "2024-04-09T20:48:46.756Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:48:46.756Z",
+ "modified": "2025-04-16T23:02:49.011Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68.json b/ics-attack/relationship/relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68.json
index 9899e316dd..639e4696f3 100644
--- a/ics-attack/relationship/relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68.json
+++ b/ics-attack/relationship/relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--dc67263b-d17d-4bc5-88a7-801e26530ea2",
+ "id": "bundle--5896a2f4-a390-4f87-ae88-8127ae09fbb6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68",
"created": "2024-09-11T22:50:15.550Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-09-11T22:50:15.550Z",
+ "modified": "2025-04-16T23:02:49.271Z",
"description": "[Fuxnet](https://attack.mitre.org/software/S1157) initial execution relied on accessing external remote services for victim environments.(Citation: Claroty Fuxnet 2024)",
"relationship_type": "uses",
"source_ref": "malware--931e2489-8078-4f9f-85b2-a9211950e75b",
"target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json b/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json
index b12463dd46..21e5a2ba0c 100644
--- a/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json
+++ b/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dc154cae-8a0e-436b-990b-d4ad8eda4100",
+ "id": "bundle--b67095d2-c898-4ccc-ab1c-1f3a1fb22023",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:25:59.238Z",
+ "modified": "2025-04-16T23:02:49.483Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604) has the capability to stop a service itself, or to login as a user and stop a service as that user. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json b/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json
index 21f4c9e6af..f928fd159f 100644
--- a/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json
+++ b/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--71b7231b-c7e6-4f87-9991-19727e8ce081",
+ "id": "bundle--1faa0d2f-a000-497c-b2d6-2f6f69bff696",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--671043a9-337f-411a-9ca9-3112e897ab09",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.184Z",
- "relationship_type": "mitigates",
- "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:49.722Z",
+ "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd.json b/ics-attack/relationship/relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd.json
index 9239aed24f..0ac11dc48c 100644
--- a/ics-attack/relationship/relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd.json
+++ b/ics-attack/relationship/relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9ff25d81-7562-474f-81fb-a3d5c085cbcf",
+ "id": "bundle--ba29e12a-ccec-476c-b7a4-7dbe171ba523",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd",
"created": "2023-09-29T18:02:52.119Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:02:52.119Z",
+ "modified": "2025-04-16T23:02:49.950Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6795c92f-848f-488e-9c25-d240f99c9b34.json b/ics-attack/relationship/relationship--6795c92f-848f-488e-9c25-d240f99c9b34.json
index 7323cf9821..b60faf0cae 100644
--- a/ics-attack/relationship/relationship--6795c92f-848f-488e-9c25-d240f99c9b34.json
+++ b/ics-attack/relationship/relationship--6795c92f-848f-488e-9c25-d240f99c9b34.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8ae8009f-0712-491f-86f2-d7d1d9893719",
+ "id": "bundle--996d6ce0-38d5-4500-aa8f-afff04463f08",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6795c92f-848f-488e-9c25-d240f99c9b34",
"created": "2023-09-28T21:23:39.333Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:23:39.333Z",
+ "modified": "2025-04-16T23:02:50.161Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab.json b/ics-attack/relationship/relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab.json
index be833d1e6d..62e01ae9be 100644
--- a/ics-attack/relationship/relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab.json
+++ b/ics-attack/relationship/relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6bf85b0b-b499-4ed7-ae52-a830b068e6b8",
+ "id": "bundle--5cfbd96f-1b62-48c4-8301-e4d9234bf935",
"spec_version": "2.0",
"objects": [
{
@@ -44,15 +44,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:43:36.888Z",
+ "modified": "2025-04-16T23:02:50.389Z",
"description": "Monitor for API calls that can be used to install a hook procedure, such as the SetWindowsHookEx and SetWinEventHook functions.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
"target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json b/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json
index 26ec83e5eb..82f70e584e 100644
--- a/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json
+++ b/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--67b4c3e9-a51e-49b8-a0ea-7348fd6e47a4",
+ "id": "bundle--a07e83a8-c8eb-4f9c-aabe-35da536f05c0",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T15:40:28.784Z",
+ "modified": "2025-04-16T23:02:50.595Z",
"description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized spear phishing to gain access into energy sector environments. (Citation: Jeff Jones May 2018)",
"relationship_type": "uses",
"source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--67ae8423-c401-4c11-93d3-0454c288d934.json b/ics-attack/relationship/relationship--67ae8423-c401-4c11-93d3-0454c288d934.json
index f9823b9cf1..13e7e3a47c 100644
--- a/ics-attack/relationship/relationship--67ae8423-c401-4c11-93d3-0454c288d934.json
+++ b/ics-attack/relationship/relationship--67ae8423-c401-4c11-93d3-0454c288d934.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0f5d5b25-960c-44fd-9afb-0eb937dd4c40",
+ "id": "bundle--ae1daffb-44ee-485f-b703-0ce7221ef9ce",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--67ae8423-c401-4c11-93d3-0454c288d934",
"created": "2023-09-29T16:31:57.421Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:31:57.421Z",
+ "modified": "2025-04-16T23:02:50.822Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--67dae594-4239-4756-a0bc-dee75de19e4c.json b/ics-attack/relationship/relationship--67dae594-4239-4756-a0bc-dee75de19e4c.json
index 252222cfe6..b3bdeddd6c 100644
--- a/ics-attack/relationship/relationship--67dae594-4239-4756-a0bc-dee75de19e4c.json
+++ b/ics-attack/relationship/relationship--67dae594-4239-4756-a0bc-dee75de19e4c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6175901e-821a-4b2c-8136-7368af971f8e",
+ "id": "bundle--b24ea313-100e-4556-9821-72cbddd4d5df",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--67dae594-4239-4756-a0bc-dee75de19e4c",
"created": "2023-09-29T17:07:14.259Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:07:14.259Z",
+ "modified": "2025-04-16T23:02:51.045Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--67e11f38-9f68-4989-8de3-da65af52063e.json b/ics-attack/relationship/relationship--67e11f38-9f68-4989-8de3-da65af52063e.json
index 99d00c1df3..a4f6ebf7d8 100644
--- a/ics-attack/relationship/relationship--67e11f38-9f68-4989-8de3-da65af52063e.json
+++ b/ics-attack/relationship/relationship--67e11f38-9f68-4989-8de3-da65af52063e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--027a81f3-481f-4ff8-8b07-9a371be2dbec",
+ "id": "bundle--a2b0728e-c1a6-4537-aa9e-f15e71d9e036",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-06T22:10:14.646Z",
+ "modified": "2025-04-16T23:02:51.272Z",
"description": "[Industroyer2](https://attack.mitre.org/software/S1072) has the capability to poll a target device about its connection status, data transfer status, Common Address (CA), Information Object Addresses (IOAs), and IO state values across multiple priority levels.(Citation: Industroyer2 Forescout July 2022)(Citation: Industroyer2 ESET April 2022)",
"relationship_type": "uses",
"source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
"target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json b/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json
index d679367a7c..2744ec924b 100644
--- a/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json
+++ b/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--c553d5e2-aaee-4749-9d36-7864678fb1e1",
+ "id": "bundle--579533b1-5514-4c10-bee7-60ee5f3d9b31",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.202Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:51.507Z",
"description": "Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--685249f9-e51a-4914-8b7f-09679e04198b.json b/ics-attack/relationship/relationship--685249f9-e51a-4914-8b7f-09679e04198b.json
index 9f5dc04ee1..e21d032058 100644
--- a/ics-attack/relationship/relationship--685249f9-e51a-4914-8b7f-09679e04198b.json
+++ b/ics-attack/relationship/relationship--685249f9-e51a-4914-8b7f-09679e04198b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--767b7a0a-7250-4730-bd08-31e24e95d07e",
+ "id": "bundle--7575d710-3f61-4999-bd44-79b979957038",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--685249f9-e51a-4914-8b7f-09679e04198b",
"created": "2023-09-28T19:49:11.359Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:49:11.359Z",
+ "modified": "2025-04-16T23:02:51.723Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json b/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json
index cbb1e9ac32..210620cd4b 100644
--- a/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json
+++ b/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--38b39d93-f582-4387-ac9f-de0ff433cd10",
+ "id": "bundle--5e42913b-ddff-47fe-8f2e-b8391fb25b9b",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--686cbd74-ef49-4e77-9599-21777d3a4738",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--686cbd74-ef49-4e77-9599-21777d3a4738",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.174Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:51.936Z",
"description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1.json b/ics-attack/relationship/relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1.json
index b63bf7030e..bac0183b28 100644
--- a/ics-attack/relationship/relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1.json
+++ b/ics-attack/relationship/relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0120b3d2-c0df-4d29-a8e7-b26f4ca2ffb8",
+ "id": "bundle--c4c93c82-7b4a-4b0b-a818-1d7c696048be",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1",
"created": "2023-09-28T19:39:25.832Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:39:25.832Z",
+ "modified": "2025-04-16T23:02:52.150Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json b/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json
index 68601c4d0e..e8b8ca58bb 100644
--- a/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json
+++ b/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3879382d-e168-412e-a429-64fbfb742e00",
+ "id": "bundle--78e3b1b9-33c1-46f1-a820-96a40fdcc3c2",
"spec_version": "2.0",
"objects": [
{
@@ -69,15 +69,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-12-04T20:04:07.781Z",
+ "modified": "2025-04-16T22:20:55.390Z",
"description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)(Citation: Mandiant FIN12 Oct 2021)(Citation: Microsoft Ransomware as a Service)",
"relationship_type": "uses",
"source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
"target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json b/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json
index 84c47257d2..903095e095 100644
--- a/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json
+++ b/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--efbf8005-fa6e-4205-9615-ff76c38e8057",
+ "id": "bundle--96e7abcd-a00c-46a4-940f-c234f75cf052",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--68d30c45-766f-48b6-9405-0c969243332b",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--68d30c45-766f-48b6-9405-0c969243332b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.214Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:52.510Z",
"description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6902da63-3b59-46f3-99e0-6008dd47ab70.json b/ics-attack/relationship/relationship--6902da63-3b59-46f3-99e0-6008dd47ab70.json
index bae966963a..57189f1370 100644
--- a/ics-attack/relationship/relationship--6902da63-3b59-46f3-99e0-6008dd47ab70.json
+++ b/ics-attack/relationship/relationship--6902da63-3b59-46f3-99e0-6008dd47ab70.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--220055b1-4e57-4c11-90d4-27e22665287c",
+ "id": "bundle--d3977ca6-23c6-4c10-a46d-e17551fd376d",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:38:13.560Z",
+ "modified": "2025-04-16T23:02:52.752Z",
"description": "Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host\u2019s GUI.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b.json b/ics-attack/relationship/relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b.json
index b4b0749b84..8e9d262e4c 100644
--- a/ics-attack/relationship/relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b.json
+++ b/ics-attack/relationship/relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e1be70bb-74bb-4e62-8c36-8b2fddc34be6",
+ "id": "bundle--a05e631f-d5ab-48d3-b149-33dcb01abc14",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:17:44.736Z",
+ "modified": "2025-04-16T23:02:52.955Z",
"description": "Monitor ICS automation protocols for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many protocols provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json b/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json
index 24a49dca63..6f98fd59a0 100644
--- a/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json
+++ b/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--491004cc-1eae-4aac-a9c1-13d20518bfbe",
+ "id": "bundle--9f0a150d-3d0e-4cb2-8610-9f5b740d59d6",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:10:47.409Z",
+ "modified": "2025-04-16T23:02:53.160Z",
"description": "[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data in information repositories, including the Infostealer 2 module that can access data from Windows Shares.(Citation: Symantec)",
"relationship_type": "uses",
"source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c",
"target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--692ff921-c74d-40a4-ab31-879aba5f247a.json b/ics-attack/relationship/relationship--692ff921-c74d-40a4-ab31-879aba5f247a.json
index f3de1f3078..20947ef01a 100644
--- a/ics-attack/relationship/relationship--692ff921-c74d-40a4-ab31-879aba5f247a.json
+++ b/ics-attack/relationship/relationship--692ff921-c74d-40a4-ab31-879aba5f247a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--eccc035d-e4bf-45fb-9690-b3d8d10a82d5",
+ "id": "bundle--98a3df80-e1d9-45b5-bb3a-1a5773189bed",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--692ff921-c74d-40a4-ab31-879aba5f247a",
"created": "2023-09-29T16:42:01.287Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:42:01.287Z",
+ "modified": "2025-04-16T23:02:53.380Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json b/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json
index 505b6976c5..f5b61cb9d6 100644
--- a/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json
+++ b/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--554c1f07-5c33-46de-8e4d-d6583c3289bc",
+ "id": "bundle--0db3d7e6-0983-4af5-a5ac-97b521ffb3cf",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.218Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:53.587Z",
"description": "Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa",
"target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--69889c90-e6d0-4007-9078-2bfbd7c18a91.json b/ics-attack/relationship/relationship--69889c90-e6d0-4007-9078-2bfbd7c18a91.json
index 0820d99aa6..24aa6fe014 100644
--- a/ics-attack/relationship/relationship--69889c90-e6d0-4007-9078-2bfbd7c18a91.json
+++ b/ics-attack/relationship/relationship--69889c90-e6d0-4007-9078-2bfbd7c18a91.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--960c3e14-0097-4f96-809e-6f19cba3692d",
+ "id": "bundle--31300aa7-d887-4ced-90e4-d71d2c1b047c",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-15T21:12:34.791Z",
+ "modified": "2025-04-16T23:02:53.819Z",
"description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) replaced the existing graphic on the [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002) with their own, thereby preventing PLC owners and operators from viewing PLC information on the HMI.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: Jamie Tarabay and Katrina Manson December 2023) ",
"relationship_type": "uses",
"source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de",
"target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json b/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json
index 7a0a5b623f..4186a0fe35 100644
--- a/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json
+++ b/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--306c491a-3e1a-4684-85c9-25b6221d39e8",
+ "id": "bundle--0e355647-1c0e-41b0-b185-a02de878fa77",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:36:26.282Z",
+ "modified": "2025-04-16T23:02:54.021Z",
"description": "Provide the ability to verify the integrity of controller tasking. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
"target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--69cf4015-fae1-47f6-9253-1f99209288a5.json b/ics-attack/relationship/relationship--69cf4015-fae1-47f6-9253-1f99209288a5.json
index 8590027c4c..2a4d460d60 100644
--- a/ics-attack/relationship/relationship--69cf4015-fae1-47f6-9253-1f99209288a5.json
+++ b/ics-attack/relationship/relationship--69cf4015-fae1-47f6-9253-1f99209288a5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--34aba8e7-6835-44d5-8025-66c6253e9e78",
+ "id": "bundle--32f3a8da-0aa2-4ebc-82b6-494b358d615f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--69cf4015-fae1-47f6-9253-1f99209288a5",
"created": "2023-09-29T16:27:34.964Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:27:34.964Z",
+ "modified": "2025-04-16T23:02:54.220Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--69d19946-72fb-40ce-90fb-0757df8353b5.json b/ics-attack/relationship/relationship--69d19946-72fb-40ce-90fb-0757df8353b5.json
new file mode 100644
index 0000000000..979d874b09
--- /dev/null
+++ b/ics-attack/relationship/relationship--69d19946-72fb-40ce-90fb-0757df8353b5.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--8c38066b-32cc-4004-bd84-bbeadade657e",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--69d19946-72fb-40ce-90fb-0757df8353b5",
+ "created": "2024-11-20T23:05:29.090Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Dragos FROSTYGOOP 2024",
+ "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
+ "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:54.431Z",
+ "description": "[FrostyGoop](https://attack.mitre.org/software/S1165) communicates using the Modbus protocol over the standard port of TCP 502.(Citation: Dragos FROSTYGOOP 2024)",
+ "relationship_type": "uses",
+ "source_ref": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05",
+ "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820.json b/ics-attack/relationship/relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820.json
index e911a46028..5d7d601bfc 100644
--- a/ics-attack/relationship/relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820.json
+++ b/ics-attack/relationship/relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--59a89ba9-566f-4ca6-843d-c26ad4326bb1",
+ "id": "bundle--0697c315-8b32-4108-a5c0-629ea5e7adf1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820",
"created": "2023-09-29T17:44:19.135Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:44:19.135Z",
+ "modified": "2025-04-16T23:02:54.629Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6a476f56-2c07-43be-8054-d978ee8eb924.json b/ics-attack/relationship/relationship--6a476f56-2c07-43be-8054-d978ee8eb924.json
index 486286a49f..7a7ccb6c44 100644
--- a/ics-attack/relationship/relationship--6a476f56-2c07-43be-8054-d978ee8eb924.json
+++ b/ics-attack/relationship/relationship--6a476f56-2c07-43be-8054-d978ee8eb924.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5c865b3a-3eb7-4868-87be-f9907ed85422",
+ "id": "bundle--5ce392cf-3a89-4746-b18d-329481ed44c9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6a476f56-2c07-43be-8054-d978ee8eb924",
"created": "2023-09-29T16:42:12.160Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:42:12.160Z",
+ "modified": "2025-04-16T23:02:54.854Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908.json b/ics-attack/relationship/relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908.json
index 2afea738b5..622c324f31 100644
--- a/ics-attack/relationship/relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908.json
+++ b/ics-attack/relationship/relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bad81c9c-ef1e-4a38-be00-39504c1f1c12",
+ "id": "bundle--7efd4f03-23ca-4f56-81df-112480d504cc",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-06T22:10:36.267Z",
+ "modified": "2025-04-16T23:02:55.057Z",
"description": "[Industroyer2](https://attack.mitre.org/software/S1072) is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)",
"relationship_type": "uses",
"source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef.json b/ics-attack/relationship/relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef.json
index d595df7c76..5ca9a89984 100644
--- a/ics-attack/relationship/relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef.json
+++ b/ics-attack/relationship/relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4cb09aaf-932e-43f1-86b5-403fa15b70f3",
+ "id": "bundle--ef5c935b-d83b-425f-9cde-90fd36ddb482",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T18:41:05.273Z",
+ "modified": "2025-04-16T23:02:55.272Z",
"description": "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d.json b/ics-attack/relationship/relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d.json
index ab4e8dffa5..eae046f313 100644
--- a/ics-attack/relationship/relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d.json
+++ b/ics-attack/relationship/relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3eff0218-b5df-4e77-ae7c-685a5a015b0c",
+ "id": "bundle--b853c6f2-af14-4267-a716-eefca5629ae3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d",
"created": "2023-03-30T14:09:40.255Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T14:09:40.255Z",
+ "modified": "2025-04-16T23:02:55.485Z",
"description": "Monitor for device alarms produced when device management passwords are changed, although not all devices will produce such alarms.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json b/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json
index f23f9eb4b9..e1c9d8541b 100644
--- a/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json
+++ b/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a0d6dfea-379e-42a5-a4d6-50cc92c833e1",
+ "id": "bundle--ac146b06-0a50-4fb9-a8f7-5c48cbf6dfb3",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-19T21:23:00.355Z",
+ "modified": "2025-04-16T23:02:55.713Z",
"description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a",
"target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json b/ics-attack/relationship/relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json
index f8216b06a9..d48190791f 100644
--- a/ics-attack/relationship/relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json
+++ b/ics-attack/relationship/relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--82bf1c7a-f1f0-4d11-9bd9-e742eda6aec8",
+ "id": "bundle--ec501cd3-18a3-4083-89c1-1e98232ee7d7",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72",
"created": "2023-09-29T16:31:22.789Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:31:22.789Z",
+ "modified": "2025-04-16T23:02:55.918Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6b0e8f60-ecdf-4140-9741-5b50df67353c.json b/ics-attack/relationship/relationship--6b0e8f60-ecdf-4140-9741-5b50df67353c.json
index b055b6a24b..6d4a38699f 100644
--- a/ics-attack/relationship/relationship--6b0e8f60-ecdf-4140-9741-5b50df67353c.json
+++ b/ics-attack/relationship/relationship--6b0e8f60-ecdf-4140-9741-5b50df67353c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--de61c90a-a9e3-4507-93ba-a2e79d675e40",
+ "id": "bundle--ddd6dde1-25d6-4155-81eb-df9fd40efd9c",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-15T21:12:44.100Z",
+ "modified": "2025-04-16T23:02:56.113Z",
"description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) exploited devices connected to the public internet, such as internet connected Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) with [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002) and networking equipment such as cellular modems found in OT environments.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: Lisa Zahner December 2023)",
"relationship_type": "uses",
"source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de",
"target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6b54f354-9059-4366-8077-87360c4db2ab.json b/ics-attack/relationship/relationship--6b54f354-9059-4366-8077-87360c4db2ab.json
index e8b198609f..b209765115 100644
--- a/ics-attack/relationship/relationship--6b54f354-9059-4366-8077-87360c4db2ab.json
+++ b/ics-attack/relationship/relationship--6b54f354-9059-4366-8077-87360c4db2ab.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5d74fb43-ab20-4115-98ce-85e87d535a87",
+ "id": "bundle--33b06b93-ca3c-4f46-b9c2-381b1b48bbc5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6b54f354-9059-4366-8077-87360c4db2ab",
"created": "2023-10-02T20:18:20.019Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:18:20.019Z",
+ "modified": "2025-04-16T23:02:56.338Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json b/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json
index f1654f7e4a..f9ba007a4b 100644
--- a/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json
+++ b/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--d2a125bd-333c-4e10-b478-1bab20561a19",
+ "id": "bundle--86c1f557-1bfe-4704-9ceb-48738873188e",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.147Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:56.540Z",
"description": "Only authorized personnel should be able to change settings for alarms.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
"target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json b/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json
index 5806406d6b..2182d12a7c 100644
--- a/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json
+++ b/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--166e4881-3078-4f3d-8705-132af99b7430",
+ "id": "bundle--e988c35d-d8c2-4585-a461-ff6bf434ae87",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.101Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:56.761Z",
"description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8.json b/ics-attack/relationship/relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8.json
index 673d55a321..be646c1d9e 100644
--- a/ics-attack/relationship/relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8.json
+++ b/ics-attack/relationship/relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bb0cf485-4df2-4659-ad0d-e4ca94ff6440",
+ "id": "bundle--c6a55950-3b4e-4e25-8517-b78742d9bc45",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T16:44:06.211Z",
- "description": "Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.",
+ "modified": "2025-04-16T23:02:56.985Z",
+ "description": "Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal on Host Mitigation](https://attack.mitre.org/mitigations/T1070) and applicable sub-techniques.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170",
"target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json b/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json
index 3f487fb761..0545a0efea 100644
--- a/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json
+++ b/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bbdc6053-8238-4ca8-9e1c-9ebbaaf30cc6",
+ "id": "bundle--f60b55bf-1360-41f7-a5e7-4c468c89d9e4",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-19T17:13:18.889Z",
+ "modified": "2025-04-16T23:02:57.213Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell with the following command: `set @s = master..xp _ cmdshell extrac32 /y +@t+ +@t+x; exec(@s);` (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json b/ics-attack/relationship/relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json
index bbaeeb3971..87c39a4852 100644
--- a/ics-attack/relationship/relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json
+++ b/ics-attack/relationship/relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cfa74f5e-e5ab-4344-9f28-a198afd6e7b1",
+ "id": "bundle--62aecc7b-61b1-4033-bcc3-4153f7e98143",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:40:22.279Z",
+ "modified": "2025-04-16T23:02:57.426Z",
"description": "Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5",
"target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json b/ics-attack/relationship/relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json
index 396aeedfb8..3673253ad9 100644
--- a/ics-attack/relationship/relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json
+++ b/ics-attack/relationship/relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--92deb223-7bb1-44ff-bfa6-8cd8a83781db",
+ "id": "bundle--0d65da0c-a1b8-4935-8855-8537ead217eb",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee",
"created": "2022-09-29T14:26:04.715Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-29T14:26:04.715Z",
+ "modified": "2025-04-16T23:02:57.666Z",
"description": "Monitor network traffic for hardcoded credential use in protocols that allow unencrypted authentication.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json b/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json
index 0caec8d837..39ee1725d2 100644
--- a/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json
+++ b/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--e8f2de61-e894-4bc7-b907-bbb573c3d4ee",
+ "id": "bundle--61e339bc-5469-4b29-bf27-9e5fc15f2160",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.089Z",
- "relationship_type": "mitigates",
- "description": "Utilize central storage servers for critical operations where possible (e.g., historians) and keep remote backups. For outstations, use local redundant storage for event recorders. Have backup control system platforms, preferably as hot-standbys to respond immediately to data destruction events. (Citation: National Institute of Standards and Technology April 2013)\n",
- "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a",
- "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "National Institute of Standards and Technology April 2013",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:02:57.900Z",
+ "description": "Utilize central storage servers for critical operations where possible (e.g., historians) and keep remote backups. For outstations, use local redundant storage for event recorders. Have backup control system platforms, preferably as hot-standbys to respond immediately to data destruction events. (Citation: National Institute of Standards and Technology April 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a",
+ "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6bf14e79-3287-4b9e-b222-9d527530df1e.json b/ics-attack/relationship/relationship--6bf14e79-3287-4b9e-b222-9d527530df1e.json
index b12c4559bb..bbb8bdba8f 100644
--- a/ics-attack/relationship/relationship--6bf14e79-3287-4b9e-b222-9d527530df1e.json
+++ b/ics-attack/relationship/relationship--6bf14e79-3287-4b9e-b222-9d527530df1e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8fbbac4a-3d01-4c21-a0f8-bed2388fbfed",
+ "id": "bundle--fefa2964-2373-4c5a-ab41-c974b73977e5",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:57:08.560Z",
+ "modified": "2025-04-16T23:02:58.129Z",
"description": "Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows , or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json b/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json
index 07da1ad4ec..47cdf3b1b5 100644
--- a/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json
+++ b/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--69f155f4-115a-4a45-91ea-11a7dce5e0c3",
+ "id": "bundle--ac261882-5a12-428d-beec-95c3ae355eaf",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--6c15ec9f-2b48-419c-adc1-f989833f6187",
+ "created": "2021-10-14T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--6c15ec9f-2b48-419c-adc1-f989833f6187",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2021-10-14T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.224Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:58.370Z",
"description": "Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7",
"target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6c31c795-935a-41ad-8db1-d74430f4a553.json b/ics-attack/relationship/relationship--6c31c795-935a-41ad-8db1-d74430f4a553.json
index b93364b4f6..65b540a235 100644
--- a/ics-attack/relationship/relationship--6c31c795-935a-41ad-8db1-d74430f4a553.json
+++ b/ics-attack/relationship/relationship--6c31c795-935a-41ad-8db1-d74430f4a553.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--16d1f824-8580-43e6-9167-9c7cf3220276",
+ "id": "bundle--6f262927-92aa-4884-8ef0-d990a4e28028",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6c31c795-935a-41ad-8db1-d74430f4a553",
"created": "2023-09-29T18:56:59.151Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:56:59.151Z",
+ "modified": "2025-04-16T23:02:58.609Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4.json b/ics-attack/relationship/relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4.json
index 1d84ac6244..52e778fdbd 100644
--- a/ics-attack/relationship/relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4.json
+++ b/ics-attack/relationship/relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--33b437da-3377-4042-b56d-d134556167b6",
+ "id": "bundle--93de853c-9e52-4405-ba83-1e039475f48c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4",
"created": "2023-09-28T20:09:36.756Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:09:36.756Z",
+ "modified": "2025-04-16T23:02:58.835Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json b/ics-attack/relationship/relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json
index 427f7f1684..f2a9aa25c9 100644
--- a/ics-attack/relationship/relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json
+++ b/ics-attack/relationship/relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--55c3343a-9fe9-4c28-9424-6da291c9da7d",
+ "id": "bundle--4862e144-ff48-452f-a293-2659afb50073",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e",
"created": "2023-09-28T20:08:52.975Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:08:52.975Z",
+ "modified": "2025-04-16T23:02:59.035Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json b/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json
index 2663e9858c..54a18cabdd 100644
--- a/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json
+++ b/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--254d2bc3-75ee-44d3-b1ee-701068e49d0e",
+ "id": "bundle--bdfad153-72c9-4c9a-aa5c-96597f7535bb",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.186Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:59.279Z",
"description": "All remote services should require strong authentication before providing user access.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json b/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json
index d414fc2d93..8951302e51 100644
--- a/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json
+++ b/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6df895d1-0e68-4f99-aaa5-18194c146dc1",
+ "id": "bundle--75b6d9d9-470b-4329-a8af-cbf693c95491",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:19:43.236Z",
+ "modified": "2025-04-16T23:02:59.500Z",
"description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through trojanized installers planted on compromised vendor sites. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)",
"relationship_type": "uses",
"source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974",
"target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5.json b/ics-attack/relationship/relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5.json
index 4e29050c3c..9462d38859 100644
--- a/ics-attack/relationship/relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5.json
+++ b/ics-attack/relationship/relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--f13c7b3b-2404-4cfd-8eb7-7031bf8bf746",
+ "id": "bundle--b2668196-d9d3-46c1-9a81-aaa24760caab",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5",
"created": "2023-03-10T20:35:16.772Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-10T20:35:16.772Z",
+ "modified": "2025-04-16T23:02:59.730Z",
"description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)",
"relationship_type": "uses",
"source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json b/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json
index a35a753c5b..fa99a331d9 100644
--- a/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json
+++ b/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--a5533ae7-a8f5-45bf-8a40-5af49e21a8b2",
+ "id": "bundle--f7eb9fcb-4c10-433a-ba94-502308ade131",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.220Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:02:59.940Z",
"description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6e7e6dfa-99ed-4cf1-b836-16ad0ae0924b.json b/ics-attack/relationship/relationship--6e7e6dfa-99ed-4cf1-b836-16ad0ae0924b.json
index 0ac92c85fc..80b89a0208 100644
--- a/ics-attack/relationship/relationship--6e7e6dfa-99ed-4cf1-b836-16ad0ae0924b.json
+++ b/ics-attack/relationship/relationship--6e7e6dfa-99ed-4cf1-b836-16ad0ae0924b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1f53021c-be42-45db-89fd-33c9f903a669",
+ "id": "bundle--a24ac951-a904-4b8c-8683-8ac60f6b9ec7",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6e7e6dfa-99ed-4cf1-b836-16ad0ae0924b",
"created": "2024-03-25T20:18:44.670Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-25T20:18:44.670Z",
+ "modified": "2025-04-16T23:03:00.148Z",
"description": "Monitor executed commands and associated arguments for application programs which support executing custom code, scripts, commands, or executables. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6eaf727c-fec3-4e63-8852-eee27c44d596.json b/ics-attack/relationship/relationship--6eaf727c-fec3-4e63-8852-eee27c44d596.json
index 5b52c715dd..7d5eba41cd 100644
--- a/ics-attack/relationship/relationship--6eaf727c-fec3-4e63-8852-eee27c44d596.json
+++ b/ics-attack/relationship/relationship--6eaf727c-fec3-4e63-8852-eee27c44d596.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4bbe7075-7ebe-4400-ac04-deaffa43a766",
+ "id": "bundle--b6e64e96-84bd-4e6c-acac-3fb475f11fb9",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:47:06.144Z",
+ "modified": "2025-04-16T23:03:00.398Z",
"description": "Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f.json b/ics-attack/relationship/relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f.json
index 0369ec1005..752fb3cb0c 100644
--- a/ics-attack/relationship/relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f.json
+++ b/ics-attack/relationship/relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0ae7b191-a794-4735-a5b4-71b6b0259038",
+ "id": "bundle--65b2cdb4-f3cd-4536-82ee-4c1f2c9f07dc",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f",
"created": "2024-03-26T15:42:22.024Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-26T15:42:22.024Z",
+ "modified": "2025-04-16T23:03:00.601Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json b/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json
index d51d4ea637..6094081461 100644
--- a/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json
+++ b/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e4aa2848-9f81-4950-b38d-37a747ffb070",
+ "id": "bundle--4fb72b33-f6fe-4185-9db2-323a601e52fe",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:05:35.788Z",
+ "modified": "2025-04-16T23:03:00.821Z",
"description": "[REvil](https://attack.mitre.org/software/S0496) sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. (Citation: McAfee Labs October 2019) (Citation: SecureWorks September 2019)",
"relationship_type": "uses",
"source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5",
"target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json b/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json
index 581648001d..78a38ca031 100644
--- a/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json
+++ b/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--ff958853-4de1-47f8-9f4a-dd211356a057",
+ "id": "bundle--a2864a35-92bf-45e1-98f2-7da85900ab45",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.069Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:01.035Z",
"description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
"target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json b/ics-attack/relationship/relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json
index 9f4ca1bd9f..5e138a9912 100644
--- a/ics-attack/relationship/relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json
+++ b/ics-attack/relationship/relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--047b2370-4936-4cb1-a88c-f2b44e4b6982",
+ "id": "bundle--899162f2-a6a4-45f9-94b7-ed26c7991928",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf",
"created": "2023-09-29T17:41:50.116Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:41:50.116Z",
+ "modified": "2025-04-16T23:03:01.272Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json b/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json
index 63f71c1e82..cc09869ab0 100644
--- a/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json
+++ b/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--4eb64d6b-fe25-42da-8e89-8e8430b3cfea",
+ "id": "bundle--5c3abe60-a2de-446a-9f61-6819981709a7",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.112Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:01.498Z",
"description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e",
"target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6f2ddada-d7df-4788-b5d1-9add185142e0.json b/ics-attack/relationship/relationship--6f2ddada-d7df-4788-b5d1-9add185142e0.json
index 119a1f1605..4ae0a2f616 100644
--- a/ics-attack/relationship/relationship--6f2ddada-d7df-4788-b5d1-9add185142e0.json
+++ b/ics-attack/relationship/relationship--6f2ddada-d7df-4788-b5d1-9add185142e0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0f618c82-527e-4fb1-8868-4c6004a4084e",
+ "id": "bundle--8f3af37c-9f42-4141-ac4c-f4fdceac14c6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6f2ddada-d7df-4788-b5d1-9add185142e0",
"created": "2023-09-28T20:02:57.330Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:02:57.330Z",
+ "modified": "2025-04-16T23:03:01.724Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json b/ics-attack/relationship/relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json
index 70ebfecc41..d4cdd1c255 100644
--- a/ics-attack/relationship/relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json
+++ b/ics-attack/relationship/relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--332ae1b7-f11f-4d86-bdc2-716099987af2",
+ "id": "bundle--224f3e87-77a4-4a42-a447-10e447caedbf",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e",
"created": "2023-09-28T21:27:14.172Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:27:14.172Z",
+ "modified": "2025-04-16T23:03:01.937Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6f950c91-125b-46a0-aa40-239b4de2306a.json b/ics-attack/relationship/relationship--6f950c91-125b-46a0-aa40-239b4de2306a.json
index b7aeb054fa..1ed08aaa53 100644
--- a/ics-attack/relationship/relationship--6f950c91-125b-46a0-aa40-239b4de2306a.json
+++ b/ics-attack/relationship/relationship--6f950c91-125b-46a0-aa40-239b4de2306a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6bf520e7-e19b-4b7e-b9e2-6101bcd5ee34",
+ "id": "bundle--70ea3b99-e9f4-4ef2-b7d9-a32936ac9b82",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6f950c91-125b-46a0-aa40-239b4de2306a",
"created": "2023-09-28T21:14:03.305Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:14:03.305Z",
+ "modified": "2025-04-16T23:03:02.130Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd.json b/ics-attack/relationship/relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd.json
index 59d305d67f..c91778184c 100644
--- a/ics-attack/relationship/relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd.json
+++ b/ics-attack/relationship/relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--4c811d4d-c16d-49a8-a398-b1067bf069a1",
+ "id": "bundle--8405e742-61c7-4ea8-84e2-bb8bf6f052ae",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd",
"created": "2024-09-11T23:00:00.833Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-09-11T23:00:00.833Z",
+ "modified": "2025-04-16T23:03:02.333Z",
"description": "[Fuxnet](https://attack.mitre.org/software/S1157) repeatedly wrote arbitrary data over the Meter-Bus channel from impacted devices to connected sensors to render sensor data acquisition useless.(Citation: Claroty Fuxnet 2024)",
"relationship_type": "uses",
"source_ref": "malware--931e2489-8078-4f9f-85b2-a9211950e75b",
"target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json b/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json
index bea1a0abf4..b3fd00cc46 100644
--- a/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json
+++ b/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4b23af6e-a531-42dd-a193-656ba728f2b3",
+ "id": "bundle--203d7031-25ee-4907-9a9a-6a01ec0d3375",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:01:38.884Z",
+ "modified": "2025-04-16T23:03:02.537Z",
"description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)",
"relationship_type": "uses",
"source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe",
"target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json b/ics-attack/relationship/relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json
index d3026ce3c3..c43ddeac3d 100644
--- a/ics-attack/relationship/relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json
+++ b/ics-attack/relationship/relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--fd1eb6cb-ae95-49e5-a37d-8fe61927ee6d",
+ "id": "bundle--890a097e-8aba-4b2f-8479-0c852bfb02da",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7",
"created": "2023-03-30T19:25:22.673Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:25:22.673Z",
+ "modified": "2025-04-16T23:03:02.767Z",
"description": "[Industroyer2](https://attack.mitre.org/software/S1072) leverages a hardcoded list of remote-station IP addresses to iteratively initiate communications and collect information across multiple priority IEC-104 priority levels.(Citation: Industroyer2 Forescout July 2022)",
"relationship_type": "uses",
"source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
"target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--70113c21-85f2-4232-8755-233f93864277.json b/ics-attack/relationship/relationship--70113c21-85f2-4232-8755-233f93864277.json
index 8d9bd1277a..fa27537232 100644
--- a/ics-attack/relationship/relationship--70113c21-85f2-4232-8755-233f93864277.json
+++ b/ics-attack/relationship/relationship--70113c21-85f2-4232-8755-233f93864277.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ddbbc620-add4-4152-b112-1d6224029765",
+ "id": "bundle--b9e2168b-55fb-4333-8f9e-9752b11d040c",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T19:17:12.033Z",
- "description": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).",
+ "modified": "2025-04-16T23:03:02.978Z",
+ "description": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see [Service Stop Mitigation](https://attack.mitre.org/mitigations/T1489).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json b/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json
index fed2181461..8f9e9f6e88 100644
--- a/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json
+++ b/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--0d95a797-924a-4a55-8504-7265a15917b3",
+ "id": "bundle--1c94a0c2-b58c-4852-9b28-f4c04d678119",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--7041d8e5-3b74-402a-86b3-fd59def80632",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.135Z",
- "relationship_type": "mitigates",
- "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n",
- "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd",
- "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "M. Rentschler and H. Heine",
@@ -23,9 +15,16 @@
"url": "https://ieeexplore.ieee.org/document/6505877"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:03.179Z",
+ "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd",
+ "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json b/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json
index f1328a690a..58885c627a 100644
--- a/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json
+++ b/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3a959be2-a87b-4397-9af5-b0319a6eab7c",
+ "id": "bundle--6ab9acb7-299d-4219-9b19-7abec05da07f",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:25:44.864Z",
+ "modified": "2025-04-16T23:03:03.420Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) communicates with Triconex controllers using a custom component framework written entirely in Python. The modules that implement the TriStation communication protocol and other supporting components are found in a separate file -- library.zip -- the main script that employs this functionality is compiled into a standalone py2exe Windows executable -- trilog.exe which includes a Python environment. (Citation: DHS CISA February 2019)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--70a9010c-6943-4274-b854-50901c3e5a0e.json b/ics-attack/relationship/relationship--70a9010c-6943-4274-b854-50901c3e5a0e.json
index d330db8ecd..80f3f98226 100644
--- a/ics-attack/relationship/relationship--70a9010c-6943-4274-b854-50901c3e5a0e.json
+++ b/ics-attack/relationship/relationship--70a9010c-6943-4274-b854-50901c3e5a0e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--06ecb948-d465-4f9f-beae-0618755acd69",
+ "id": "bundle--8865769e-bc2e-4245-a5ea-d9527a6d8dd3",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:23:29.885Z",
+ "modified": "2025-04-16T23:03:03.639Z",
"description": "Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json b/ics-attack/relationship/relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json
index 5bc264b55c..0fdf665b0e 100644
--- a/ics-attack/relationship/relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json
+++ b/ics-attack/relationship/relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3cc88f2f-e6ba-4b02-9019-15b403a300fa",
+ "id": "bundle--b7419970-ab70-4145-88f7-8ae0d51a588e",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:29:38.448Z",
+ "modified": "2025-04-16T23:03:03.869Z",
"description": "Monitor network traffic for default credential use in protocols that allow unencrypted authentication.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json b/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json
index 3dfe9604c4..ccc46710c0 100644
--- a/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json
+++ b/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b0a4dfee-6cb6-4fde-81df-4beeba277ed0",
+ "id": "bundle--c14dabd4-2068-4dde-8556-15a040a194b3",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-17T15:38:28.233Z",
+ "modified": "2025-04-16T23:03:04.077Z",
"description": "[Conficker](https://attack.mitre.org/software/S0608) exploits Windows drive shares. Once it has infected a computer, [Conficker](https://attack.mitre.org/software/S0608) automatically copies itself to all visible open drive shares on other computers inside the network. (Citation: Symantec June 2015) Nuclear power plant officials suspect someone brought in [Conficker](https://attack.mitre.org/software/S0608) by accident on a USB thumb drive, either from home or computers found in the power plant's facility. (Citation: Catalin Cimpanu April 2016)",
"relationship_type": "uses",
"source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55",
"target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977.json b/ics-attack/relationship/relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977.json
index ceb2a2be56..fa190bed1e 100644
--- a/ics-attack/relationship/relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977.json
+++ b/ics-attack/relationship/relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--73b37f64-0893-42d9-b499-44e95e80413e",
+ "id": "bundle--35480376-e4f7-4961-848f-70e4d97b7828",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977",
"created": "2023-09-28T19:55:37.459Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:55:37.459Z",
+ "modified": "2025-04-16T23:03:04.320Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json b/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json
index 78e81df241..00e6e75f3f 100644
--- a/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json
+++ b/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--d0061656-d5d0-47e0-bf45-f6a7864f178a",
+ "id": "bundle--c939daa4-0bbc-41d1-b8c3-a1e00942fc7b",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.228Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:04.533Z",
"description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json b/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json
index 2e9b456fec..2a0573dd2d 100644
--- a/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json
+++ b/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c779086a-803a-4f29-a00c-ea6700567827",
+ "id": "bundle--77dc9a51-29a1-4861-9b57-566db43bb306",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T16:44:01.639Z",
+ "modified": "2025-04-16T23:03:04.796Z",
"description": "To protect against AiTM, authentication mechanisms should not send credentials across the network in plaintext and should also implement mechanisms to prevent replay attacks (such as nonces or timestamps). Challenge-response based authentication techniques that do not directly send credentials over the network provide better protection from AiTM.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3.json b/ics-attack/relationship/relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3.json
index 3194bcb3f0..0e745d527d 100644
--- a/ics-attack/relationship/relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3.json
+++ b/ics-attack/relationship/relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--826a3e62-8050-4ae5-8e84-89c7ce1eeec5",
+ "id": "bundle--93f48b8c-e287-4f26-82b9-9d993d545c7c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3",
"created": "2024-09-11T23:00:48.583Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-09-11T23:00:48.583Z",
+ "modified": "2025-04-16T23:03:04.999Z",
"description": "[Fuxnet](https://attack.mitre.org/software/S1157) impaired sensor communication to impacted devices resulting in a loss of view condition for overall system monitoring.(Citation: Claroty Fuxnet 2024)",
"relationship_type": "uses",
"source_ref": "malware--931e2489-8078-4f9f-85b2-a9211950e75b",
"target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json b/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json
index e736fd5599..7e763a7eb2 100644
--- a/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json
+++ b/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--28d0b719-84f7-40e0-a39b-61ca3ccc7183",
+ "id": "bundle--d2db2357-aeba-44ea-9c4b-77366e9941a4",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:59:02.909Z",
+ "modified": "2025-04-16T23:03:05.205Z",
"description": "[NotPetya](https://attack.mitre.org/software/S0368) disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines. (Citation: David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019)",
"relationship_type": "uses",
"source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb",
"target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--72bfda0b-31e9-4958-8d40-6efe816d9989.json b/ics-attack/relationship/relationship--72bfda0b-31e9-4958-8d40-6efe816d9989.json
index c8cbd15781..badb876f51 100644
--- a/ics-attack/relationship/relationship--72bfda0b-31e9-4958-8d40-6efe816d9989.json
+++ b/ics-attack/relationship/relationship--72bfda0b-31e9-4958-8d40-6efe816d9989.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c08723ea-d4f9-4ec7-bf99-71cce591fab6",
+ "id": "bundle--bfd1a6af-bd85-4053-aae0-c8c294a3de95",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:33:47.681Z",
+ "modified": "2025-04-16T23:03:05.417Z",
"description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
"target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--730580d4-d68c-407f-9d09-f379e9aefc7e.json b/ics-attack/relationship/relationship--730580d4-d68c-407f-9d09-f379e9aefc7e.json
index 2a0118b053..cc2d1c3eac 100644
--- a/ics-attack/relationship/relationship--730580d4-d68c-407f-9d09-f379e9aefc7e.json
+++ b/ics-attack/relationship/relationship--730580d4-d68c-407f-9d09-f379e9aefc7e.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--67587a50-ee6f-4f7f-85ed-7585c64e8e70",
+ "id": "bundle--d279c025-de37-47f7-b76e-5d95c5e0a43c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--730580d4-d68c-407f-9d09-f379e9aefc7e",
"created": "2023-03-30T19:25:41.475Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:25:41.475Z",
+ "modified": "2025-04-16T23:03:05.631Z",
"description": "[Industroyer2](https://attack.mitre.org/software/S1072) uses a General Interrogation command to monitor the device\u2019s Information Object Addresses (IOAs) and their IO state values.(Citation: Industroyer2 Forescout July 2022)",
"relationship_type": "uses",
"source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
"target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--73093c08-ea39-4956-8bff-55e15f6630cd.json b/ics-attack/relationship/relationship--73093c08-ea39-4956-8bff-55e15f6630cd.json
index 37e560e27f..762b3991ec 100644
--- a/ics-attack/relationship/relationship--73093c08-ea39-4956-8bff-55e15f6630cd.json
+++ b/ics-attack/relationship/relationship--73093c08-ea39-4956-8bff-55e15f6630cd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1c82602f-5b1c-4b21-a36e-3d2732caabe7",
+ "id": "bundle--606df0d5-67fc-4c67-8416-ca15882f2afb",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--73093c08-ea39-4956-8bff-55e15f6630cd",
"created": "2023-09-28T20:07:59.785Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:07:59.785Z",
+ "modified": "2025-04-16T23:03:05.863Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json b/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json
index 5db9f0d78c..630eaf0cfc 100644
--- a/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json
+++ b/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fdb5349a-9ca4-42bc-afce-5c51e4dd4e05",
+ "id": "bundle--44504597-59d3-42cf-8c16-042a3f2ff77d",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T15:42:15.944Z",
+ "modified": "2025-04-16T23:03:06.078Z",
"description": "[APT33](https://attack.mitre.org/groups/G0064) utilized PowerShell scripts to establish command and control and install files for execution. (Citation: Symantec March 2019) (Citation: Dragos)",
"relationship_type": "uses",
"source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--73a48431-3597-4a72-acb8-c1e5019073e2.json b/ics-attack/relationship/relationship--73a48431-3597-4a72-acb8-c1e5019073e2.json
index d33a794151..a8f4944935 100644
--- a/ics-attack/relationship/relationship--73a48431-3597-4a72-acb8-c1e5019073e2.json
+++ b/ics-attack/relationship/relationship--73a48431-3597-4a72-acb8-c1e5019073e2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--905fb294-9a27-47ce-87c1-d3444c37e50a",
+ "id": "bundle--a574ebc6-c26c-45a5-b109-313010ba8d28",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-09-12T19:30:45.065Z",
+ "modified": "2025-04-16T23:03:06.311Z",
"description": "Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.(Citation: Twitter ItsReallyNick Masquerading Update)",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148.json b/ics-attack/relationship/relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148.json
index 9f4ff1c18e..542b5215fa 100644
--- a/ics-attack/relationship/relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148.json
+++ b/ics-attack/relationship/relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3e3e75e6-f29d-4be7-9edd-d1482508d426",
+ "id": "bundle--8d4025c8-7f87-4f20-b366-09a4511ea5fe",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148",
"created": "2024-03-25T20:17:16.271Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-25T20:17:16.271Z",
+ "modified": "2025-04-16T23:03:06.534Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--740082b7-2411-473a-a59d-4d46cf12f8b5.json b/ics-attack/relationship/relationship--740082b7-2411-473a-a59d-4d46cf12f8b5.json
index 50f9bdfcaa..399357fe79 100644
--- a/ics-attack/relationship/relationship--740082b7-2411-473a-a59d-4d46cf12f8b5.json
+++ b/ics-attack/relationship/relationship--740082b7-2411-473a-a59d-4d46cf12f8b5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--cde1f3de-a45a-4bdf-b908-16e845d623d1",
+ "id": "bundle--8a5241c5-70ba-420d-b233-03c81989b9a5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--740082b7-2411-473a-a59d-4d46cf12f8b5",
"created": "2023-09-29T18:45:01.516Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:45:01.516Z",
+ "modified": "2025-04-16T23:03:06.769Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json b/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json
index 755542b0b1..5afb802031 100644
--- a/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json
+++ b/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--046e2e23-ee0a-44b8-b96d-5d674a72e7c9",
+ "id": "bundle--9aa8c5cf-2692-4060-ac42-35e5fcbfa696",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--7411b05d-209a-4907-83ce-00ab1538fbac",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.084Z",
- "relationship_type": "mitigates",
- "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n",
- "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc",
- "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014",
@@ -23,9 +15,16 @@
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:06.974Z",
+ "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc",
+ "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7.json b/ics-attack/relationship/relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7.json
index 5e4e6f5a95..0d43fd6310 100644
--- a/ics-attack/relationship/relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7.json
+++ b/ics-attack/relationship/relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d9b8aa65-5b2c-40cb-92c0-a50b302c52d2",
+ "id": "bundle--f4e692f8-78d1-495f-aa9c-a6daf7e72eb4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7",
"created": "2023-09-29T17:57:23.090Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:57:23.090Z",
+ "modified": "2025-04-16T23:03:07.186Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json b/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json
index 07e5bee26a..0b266f7605 100644
--- a/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json
+++ b/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f381edab-b53e-4e70-9f89-cec1e4e524e9",
+ "id": "bundle--a1c1e277-c5c9-467c-af3b-7c9c6f3c9cac",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:26:26.552Z",
+ "modified": "2025-04-16T23:03:07.420Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. (Citation: MDudek-ICS)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json b/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json
index 197fe0949f..2ace3b44bf 100644
--- a/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json
+++ b/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--1f28a5e8-b0e3-485a-a11d-84545147236d",
+ "id": "bundle--87e006a9-ca78-4857-a6a3-acf659eab484",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--74ec9ce5-3155-488c-ae56-570c47a1d207",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-04-13T12:45:26.506Z",
- "modified": "2022-05-06T17:47:24.194Z",
- "relationship_type": "mitigates",
- "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n",
- "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a",
- "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "D. Parsons and D. Wylie September 2019",
@@ -43,9 +35,16 @@
"url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:07.643Z",
+ "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a",
+ "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json b/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json
index 7c6bda16cf..53fc261870 100644
--- a/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json
+++ b/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--f7b75999-e5f9-46d5-ae7d-5c8f9c97afc1",
+ "id": "bundle--7644866b-1fe9-47ea-93cf-3eb68a1ef8a1",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.080Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:07.872Z",
"description": "Execution prevention may block malicious software from accessing protected resources through the command line interface.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30",
"target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json b/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json
index 55c82cb65b..a37e0d8515 100644
--- a/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json
+++ b/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--2a8a2e66-2da3-4869-8839-6225fc20cd3e",
+ "id": "bundle--da5cfd31-c749-448b-8cca-8cad268b734c",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--754521fc-4306-4daa-831b-6b6fb45847e2",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.108Z",
- "relationship_type": "mitigates",
- "description": "All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls. (Citation: MITRE June 2020)\n",
- "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
- "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "MITRE June 2020",
@@ -23,9 +15,16 @@
"url": "https://cwe.mitre.org/data/definitions/227.html"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:08.074Z",
+ "description": "All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls. (Citation: MITRE June 2020)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
+ "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7584e57f-1258-4c47-b18d-99019a586e6c.json b/ics-attack/relationship/relationship--7584e57f-1258-4c47-b18d-99019a586e6c.json
index f9a73f2d88..89aa37d3a6 100644
--- a/ics-attack/relationship/relationship--7584e57f-1258-4c47-b18d-99019a586e6c.json
+++ b/ics-attack/relationship/relationship--7584e57f-1258-4c47-b18d-99019a586e6c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ad8024db-4f5f-4a79-a8c9-363105952efc",
+ "id": "bundle--237f975b-5f0e-4b57-afed-274f95ca65ff",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7584e57f-1258-4c47-b18d-99019a586e6c",
"created": "2023-09-28T21:16:35.382Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:16:35.382Z",
+ "modified": "2025-04-16T23:03:08.328Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--758773e3-d23d-44db-b5d3-643cde5b41f1.json b/ics-attack/relationship/relationship--758773e3-d23d-44db-b5d3-643cde5b41f1.json
index b1e9f952c7..5be4f2d703 100644
--- a/ics-attack/relationship/relationship--758773e3-d23d-44db-b5d3-643cde5b41f1.json
+++ b/ics-attack/relationship/relationship--758773e3-d23d-44db-b5d3-643cde5b41f1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--27212bb3-ade0-4ef3-bb2b-73d0df745f6a",
+ "id": "bundle--f9f9f0b9-4591-4dec-8d8b-1fdbe9566a36",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--758773e3-d23d-44db-b5d3-643cde5b41f1",
"created": "2023-09-28T19:45:07.511Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:45:07.511Z",
+ "modified": "2025-04-16T23:03:08.526Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json b/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json
index e0f7bcc276..c83becfa9e 100644
--- a/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json
+++ b/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--08581b4b-5318-41b4-ab63-5ba70ef2abf3",
+ "id": "bundle--468a41c4-a5fc-4986-a284-74fc90406d7a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T13:49:30.320Z",
+ "modified": "2025-04-16T23:03:08.752Z",
"description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--75a60046-c4d7-498a-b256-9a93b5992dcc.json b/ics-attack/relationship/relationship--75a60046-c4d7-498a-b256-9a93b5992dcc.json
index 3d551cf98b..401811772b 100644
--- a/ics-attack/relationship/relationship--75a60046-c4d7-498a-b256-9a93b5992dcc.json
+++ b/ics-attack/relationship/relationship--75a60046-c4d7-498a-b256-9a93b5992dcc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--339f8d48-4864-44f6-a2a2-9faee0364963",
+ "id": "bundle--f5c620d3-3bcd-42a3-88ce-47ae88c67a28",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:55:46.014Z",
+ "modified": "2025-04-16T23:03:08.958Z",
"description": "Monitor for unusual processes with internal network connections creating files on-system which may be suspicious. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48.json b/ics-attack/relationship/relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48.json
index f4d6155432..829dba0081 100644
--- a/ics-attack/relationship/relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48.json
+++ b/ics-attack/relationship/relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2f011351-b32d-46fa-b245-a55ed65760ae",
+ "id": "bundle--8e7c856b-d43e-4d49-89d4-1501c6830f06",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48",
"created": "2023-09-29T17:06:33.098Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:06:33.098Z",
+ "modified": "2025-04-16T23:03:09.180Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--75e6adae-06a7-47e9-878e-74ca73004c3b.json b/ics-attack/relationship/relationship--75e6adae-06a7-47e9-878e-74ca73004c3b.json
index c107f9b37f..22b2253d4d 100644
--- a/ics-attack/relationship/relationship--75e6adae-06a7-47e9-878e-74ca73004c3b.json
+++ b/ics-attack/relationship/relationship--75e6adae-06a7-47e9-878e-74ca73004c3b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--efc55892-2420-4f8d-a572-76aa541cfeb3",
+ "id": "bundle--7fda3fb0-1e34-44a1-a35f-1f8949662bd6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--75e6adae-06a7-47e9-878e-74ca73004c3b",
"created": "2023-09-28T20:30:01.641Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:30:01.641Z",
+ "modified": "2025-04-16T23:03:09.421Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--76537fd7-5782-4a8d-9b54-117b168a4306.json b/ics-attack/relationship/relationship--76537fd7-5782-4a8d-9b54-117b168a4306.json
index 69d20d75b2..a9b7eae50a 100644
--- a/ics-attack/relationship/relationship--76537fd7-5782-4a8d-9b54-117b168a4306.json
+++ b/ics-attack/relationship/relationship--76537fd7-5782-4a8d-9b54-117b168a4306.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--db0ea4b4-cb9c-4e7f-9afc-1498c811e696",
+ "id": "bundle--f0459867-c8fc-4444-bbf6-e44dcb417226",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--76537fd7-5782-4a8d-9b54-117b168a4306",
"created": "2023-09-29T16:38:51.155Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:38:51.155Z",
+ "modified": "2025-04-16T23:03:09.631Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e.json b/ics-attack/relationship/relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e.json
index afc2e283b2..d909c3b7a2 100644
--- a/ics-attack/relationship/relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e.json
+++ b/ics-attack/relationship/relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fdadf067-3b87-4117-bdb4-d119d7d20ed6",
+ "id": "bundle--0a9bb103-8c36-4cdd-87ac-84d132dbae8a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T19:36:51.486Z",
+ "modified": "2025-04-16T23:03:09.856Z",
"description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware. For added context on adversary procedures and background see [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) and applicable sub-techniques.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--77566f94-5e26-41c9-892f-2f62b395afe7.json b/ics-attack/relationship/relationship--77566f94-5e26-41c9-892f-2f62b395afe7.json
index b4dd48c16f..fec36f350d 100644
--- a/ics-attack/relationship/relationship--77566f94-5e26-41c9-892f-2f62b395afe7.json
+++ b/ics-attack/relationship/relationship--77566f94-5e26-41c9-892f-2f62b395afe7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--71763406-1e2b-4f3b-9ebd-7e75b71eecf9",
+ "id": "bundle--10ead9fc-cc0d-472b-be84-8df790464ffc",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--77566f94-5e26-41c9-892f-2f62b395afe7",
"created": "2023-09-28T20:01:43.057Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:01:43.057Z",
+ "modified": "2025-04-16T23:03:10.076Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--77821dbb-367e-455f-bcae-b87412e88f1b.json b/ics-attack/relationship/relationship--77821dbb-367e-455f-bcae-b87412e88f1b.json
index 09c755255f..9c69568836 100644
--- a/ics-attack/relationship/relationship--77821dbb-367e-455f-bcae-b87412e88f1b.json
+++ b/ics-attack/relationship/relationship--77821dbb-367e-455f-bcae-b87412e88f1b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--584103d4-6234-4a94-a1e6-038d78233782",
+ "id": "bundle--c5bb3427-bb5a-461c-b8fd-4ab57a19b34f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--77821dbb-367e-455f-bcae-b87412e88f1b",
"created": "2022-09-26T16:56:53.939Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:56:53.940Z",
+ "modified": "2025-04-16T23:03:10.317Z",
"description": "Monitor asset management systems for device configuration changes which can be used to understand expected parameter settings.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706",
"target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--77f3a64d-227d-487f-8484-89007e05b59f.json b/ics-attack/relationship/relationship--77f3a64d-227d-487f-8484-89007e05b59f.json
index 4d75efc0cc..532b28cc4f 100644
--- a/ics-attack/relationship/relationship--77f3a64d-227d-487f-8484-89007e05b59f.json
+++ b/ics-attack/relationship/relationship--77f3a64d-227d-487f-8484-89007e05b59f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a6fc6b9f-3ea5-4db7-a607-ee9f9fc3915f",
+ "id": "bundle--4530af17-518a-4bbe-843b-b4c849acd1a2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--77f3a64d-227d-487f-8484-89007e05b59f",
"created": "2023-09-28T21:16:14.153Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:16:14.153Z",
+ "modified": "2025-04-16T23:03:10.528Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--78881a3d-59ad-4fbb-8bd2-69388a068584.json b/ics-attack/relationship/relationship--78881a3d-59ad-4fbb-8bd2-69388a068584.json
index 20f1cfd3ed..07cd906375 100644
--- a/ics-attack/relationship/relationship--78881a3d-59ad-4fbb-8bd2-69388a068584.json
+++ b/ics-attack/relationship/relationship--78881a3d-59ad-4fbb-8bd2-69388a068584.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--aba50f00-4e9a-41af-9991-da31a36e1ffa",
+ "id": "bundle--e5f43083-21d4-47f7-96d4-53e4daf0bdab",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--78881a3d-59ad-4fbb-8bd2-69388a068584",
"created": "2023-09-29T18:01:45.518Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:01:45.518Z",
+ "modified": "2025-04-16T23:03:10.749Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631.json b/ics-attack/relationship/relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631.json
index 958c032469..69303f3703 100644
--- a/ics-attack/relationship/relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631.json
+++ b/ics-attack/relationship/relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a9ce8856-a901-404e-956e-d6dcf2dd8285",
+ "id": "bundle--6a09c0a9-0550-474f-89be-c3fec732dddd",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631",
"created": "2023-09-28T21:09:33.225Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:09:33.225Z",
+ "modified": "2025-04-16T23:03:10.979Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--78972893-5d8c-480f-a05d-481adc0c8bb0.json b/ics-attack/relationship/relationship--78972893-5d8c-480f-a05d-481adc0c8bb0.json
index 45af280f7b..6e8574103c 100644
--- a/ics-attack/relationship/relationship--78972893-5d8c-480f-a05d-481adc0c8bb0.json
+++ b/ics-attack/relationship/relationship--78972893-5d8c-480f-a05d-481adc0c8bb0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6ea86c43-993d-4113-8284-f90fa58f40b3",
+ "id": "bundle--f625b82a-a94e-4612-9cd9-2185530e9898",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:12:25.316Z",
+ "modified": "2025-04-16T23:03:11.181Z",
"description": "Monitor ICS automation network protocols for functions related to reading an asset\u2019s operating mode. In some cases, there may be multiple ways to detect a device\u2019s operating mode, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7912946d-1605-465a-a55c-36bb104235ab.json b/ics-attack/relationship/relationship--7912946d-1605-465a-a55c-36bb104235ab.json
index 116397dc49..9a76cf6519 100644
--- a/ics-attack/relationship/relationship--7912946d-1605-465a-a55c-36bb104235ab.json
+++ b/ics-attack/relationship/relationship--7912946d-1605-465a-a55c-36bb104235ab.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--135dad31-6ee7-488c-9473-445c870b253e",
+ "id": "bundle--fa23b874-6bb8-4dba-9f5d-b7b60ad68f66",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7912946d-1605-465a-a55c-36bb104235ab",
"created": "2022-09-27T16:08:53.157Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T16:08:53.157Z",
+ "modified": "2025-04-16T23:03:11.429Z",
"description": "Monitor device alarms that indicate the program has changed, although not all devices produce such alarms.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json b/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json
index d4c2146d0f..0d12bab9c0 100644
--- a/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json
+++ b/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--58bb11f7-bbf1-4157-a039-be3c3b814556",
+ "id": "bundle--785c7d3f-0d2e-4768-bc56-f130538d458f",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:44:27.955Z",
+ "modified": "2025-04-16T23:03:11.665Z",
"description": "[Duqu](https://attack.mitre.org/software/S0038)'s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.(Citation: Symantec)",
"relationship_type": "uses",
"source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c",
"target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--79235599-e23f-43cb-9c56-1eb22b7c4664.json b/ics-attack/relationship/relationship--79235599-e23f-43cb-9c56-1eb22b7c4664.json
index a59b4f0ef1..f1a7785d54 100644
--- a/ics-attack/relationship/relationship--79235599-e23f-43cb-9c56-1eb22b7c4664.json
+++ b/ics-attack/relationship/relationship--79235599-e23f-43cb-9c56-1eb22b7c4664.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c468c068-5144-4732-995c-adfe51688b09",
+ "id": "bundle--aaaa037f-8f27-4ddf-853d-a05843b144ba",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--79235599-e23f-43cb-9c56-1eb22b7c4664",
"created": "2023-09-29T16:38:38.201Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:38:38.201Z",
+ "modified": "2025-04-16T23:03:11.899Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json b/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json
index e24b79c794..f3eebc9db4 100644
--- a/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json
+++ b/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a84fb3f9-144a-461b-95e7-b72c5d37478f",
+ "id": "bundle--1a58357b-1cf3-4a97-8dcb-8a50ae944f67",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:25:35.287Z",
+ "modified": "2025-04-16T23:03:12.112Z",
"description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--79407d1e-8e16-48c1-939c-ad92f91dd988.json b/ics-attack/relationship/relationship--79407d1e-8e16-48c1-939c-ad92f91dd988.json
index ad89ab5e24..750b2232f8 100644
--- a/ics-attack/relationship/relationship--79407d1e-8e16-48c1-939c-ad92f91dd988.json
+++ b/ics-attack/relationship/relationship--79407d1e-8e16-48c1-939c-ad92f91dd988.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e8de4d15-3e54-4aad-9537-917facadeaa8",
+ "id": "bundle--052d4ab9-e473-4cab-aa51-6775cfe23f07",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--79407d1e-8e16-48c1-939c-ad92f91dd988",
"created": "2023-09-29T16:30:19.141Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:30:19.141Z",
+ "modified": "2025-04-16T23:03:12.327Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json b/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json
index e9e0512d44..8d0d774ccd 100644
--- a/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json
+++ b/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--d179d1be-9a61-407c-a70f-0dd25d8f87d4",
+ "id": "bundle--762f46de-faec-451d-9b77-8437608f80d8",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--798919d3-df8b-463f-b2be-4c1aa8089384",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-10-14T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.226Z",
- "relationship_type": "mitigates",
- "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "North America Transmission Forum December 2019",
@@ -23,9 +15,16 @@
"url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:12.541Z",
+ "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--798de2f3-218b-4622-a62c-84e3840d45a6.json b/ics-attack/relationship/relationship--798de2f3-218b-4622-a62c-84e3840d45a6.json
index b0e9f231cd..73caf6de6b 100644
--- a/ics-attack/relationship/relationship--798de2f3-218b-4622-a62c-84e3840d45a6.json
+++ b/ics-attack/relationship/relationship--798de2f3-218b-4622-a62c-84e3840d45a6.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--71c75d97-3af2-4cc1-abc9-9fa4169450bc",
+ "id": "bundle--2aa0b0d1-4868-42f1-a84f-1b7d670410ea",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--798de2f3-218b-4622-a62c-84e3840d45a6",
"created": "2023-09-29T18:00:10.845Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:00:10.845Z",
+ "modified": "2025-04-16T23:03:12.762Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json b/ics-attack/relationship/relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json
index 9c9e847cff..a39a8ac030 100644
--- a/ics-attack/relationship/relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json
+++ b/ics-attack/relationship/relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2a0dbb0d-b04b-4d48-ba65-01a5e0dd1736",
+ "id": "bundle--0ad4da96-b39d-44d3-a4f8-c46251883f79",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19",
"created": "2023-09-29T16:32:22.510Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:32:22.510Z",
+ "modified": "2025-04-16T23:03:12.990Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json b/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json
index 1006f288b7..a370606c71 100644
--- a/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json
+++ b/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b4a594ea-98d3-4d42-98a7-036be0bdfb4c",
+ "id": "bundle--093ce8f9-8913-4545-89d0-f2a0b4fa8686",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Kevin Savage and Branko Spasojevic",
- "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ",
- "url": "https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99"
+ "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20190930124504/https:/www.symantec.com/security-center/writeup/2012-052811-0308-99"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:50:07.974Z",
+ "modified": "2025-04-16T23:03:13.202Z",
"description": "[Flame](https://attack.mitre.org/software/S0143) can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information. (Citation: Kevin Savage and Branko Spasojevic)",
"relationship_type": "uses",
"source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json b/ics-attack/relationship/relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json
index c87a3c55c1..ddb5af425c 100644
--- a/ics-attack/relationship/relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json
+++ b/ics-attack/relationship/relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--81f708f1-4af0-4122-9528-fa609886957f",
+ "id": "bundle--309bcb7e-b224-4805-8aa3-00784f8b2c08",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:46:05.831Z",
+ "modified": "2025-04-16T23:03:13.412Z",
"description": "Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe). ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json b/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json
index 099d6d4c57..b5f78c2ab8 100644
--- a/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json
+++ b/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d41a3253-a6ea-4ac4-be3c-7dd453420a7f",
+ "id": "bundle--bcac9652-27f4-4c4a-b690-f2a7751bec48",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:56:48.612Z",
+ "modified": "2025-04-16T23:03:13.651Z",
"description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of view which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)",
"relationship_type": "uses",
"source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48",
"target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json b/ics-attack/relationship/relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json
index 3787f46232..c95fc88972 100644
--- a/ics-attack/relationship/relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json
+++ b/ics-attack/relationship/relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a208a99a-7b0c-49d1-bfb2-ddbf97d89e6b",
+ "id": "bundle--bdcb3546-6a3e-44e7-a01b-d0fe986862e4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978",
"created": "2022-09-26T14:29:33.111Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:29:33.111Z",
+ "modified": "2025-04-16T23:03:13.874Z",
"description": "Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170",
"target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json b/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json
index 8bff6d4082..2c415dc930 100644
--- a/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json
+++ b/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--53f8a1b0-2263-42ed-b1b3-c9d470987068",
+ "id": "bundle--8b19ff08-08dd-4039-b086-3dd0a6dc5b15",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.157Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:14.092Z",
"description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0.json b/ics-attack/relationship/relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0.json
index 091c9c30cd..0d61ca9d36 100644
--- a/ics-attack/relationship/relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0.json
+++ b/ics-attack/relationship/relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--955dc970-15de-41ea-ba69-99463ff2276d",
+ "id": "bundle--797a788d-b377-43c1-b438-c6646db17270",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0",
"created": "2023-09-29T16:33:23.456Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:33:23.456Z",
+ "modified": "2025-04-16T23:03:14.317Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780.json b/ics-attack/relationship/relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780.json
index e82aa8274a..afa9099113 100644
--- a/ics-attack/relationship/relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780.json
+++ b/ics-attack/relationship/relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--19cc5542-d03f-4e30-8e42-f4711bb3cdee",
+ "id": "bundle--7465b3f3-3aad-44d6-a994-4449d0bfd3a3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780",
"created": "2023-09-28T19:45:42.727Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:45:42.727Z",
+ "modified": "2025-04-16T23:03:14.536Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b.json b/ics-attack/relationship/relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b.json
index 6adee9097a..01e26b8194 100644
--- a/ics-attack/relationship/relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b.json
+++ b/ics-attack/relationship/relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6d2a8557-3f98-4cfd-b445-991f8d7ceb6b",
+ "id": "bundle--a238a2c1-eb74-4471-8522-aa8e821b0f7a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b",
"created": "2023-09-29T17:39:54.089Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:39:54.089Z",
+ "modified": "2025-04-16T23:03:14.746Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7bb1dbec-7314-479a-9496-86f8e25041eb.json b/ics-attack/relationship/relationship--7bb1dbec-7314-479a-9496-86f8e25041eb.json
index d8138af09b..7be12297a0 100644
--- a/ics-attack/relationship/relationship--7bb1dbec-7314-479a-9496-86f8e25041eb.json
+++ b/ics-attack/relationship/relationship--7bb1dbec-7314-479a-9496-86f8e25041eb.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--42d3d7ed-2e7a-4aae-b844-80883579c15a",
+ "id": "bundle--f2486871-e9c4-49a4-b399-3dbe8c9b9ee5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7bb1dbec-7314-479a-9496-86f8e25041eb",
"created": "2023-09-29T16:40:43.415Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:40:43.416Z",
+ "modified": "2025-04-16T23:03:14.965Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json b/ics-attack/relationship/relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json
index 84cd118c49..731748628c 100644
--- a/ics-attack/relationship/relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json
+++ b/ics-attack/relationship/relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--435c7a64-0e84-4b42-bdb5-eff496e8f6f6",
+ "id": "bundle--64347f44-27a8-4cf8-873a-8b367922100d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07",
"created": "2023-09-29T18:49:01.768Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:49:01.768Z",
+ "modified": "2025-04-16T23:03:15.169Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json b/ics-attack/relationship/relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json
index 4aa419d751..b0b2aefacb 100644
--- a/ics-attack/relationship/relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json
+++ b/ics-attack/relationship/relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2ee3eb80-f093-4a6b-ac9c-f964d4bb8f4a",
+ "id": "bundle--a141cd57-7edb-451c-940a-0ab0ff6e7665",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84",
"created": "2023-09-28T20:07:15.553Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:07:15.553Z",
+ "modified": "2025-04-16T23:03:15.437Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json b/ics-attack/relationship/relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json
index fb94c8951c..6926c7f24b 100644
--- a/ics-attack/relationship/relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json
+++ b/ics-attack/relationship/relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--60ec8d39-1325-4794-84ab-6df1440a2d29",
+ "id": "bundle--716495c7-c1e6-4f20-9f14-487d1529aa8b",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-07T16:12:03.917Z",
+ "modified": "2025-04-16T23:03:15.644Z",
"description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.(Citation: Dragos Crashoverride 2018)",
"relationship_type": "uses",
"source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json b/ics-attack/relationship/relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json
index 4115020c42..1d8d7aa975 100644
--- a/ics-attack/relationship/relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json
+++ b/ics-attack/relationship/relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8588cae8-60a1-41c9-92fa-3f65e97dba9c",
+ "id": "bundle--6c4c12a2-f87a-4e88-992f-94ccdb0a429d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea",
"created": "2023-09-28T20:07:01.309Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:07:01.309Z",
+ "modified": "2025-04-16T23:03:15.875Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json b/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json
index 9d35585631..012cf3bce0 100644
--- a/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json
+++ b/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--551296d4-c286-4cff-b5d7-91b9aaf7d2b3",
+ "id": "bundle--24a19267-ecb8-4b1b-8923-71d55d5029f6",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.084Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:16.097Z",
"description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json b/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json
index 9c9d840dff..dbf63c7b57 100644
--- a/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json
+++ b/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a1974236-50b6-491f-98e3-b2caa058ec4d",
+ "id": "bundle--840d08f5-acc0-4b38-819b-a32a3531a261",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.441Z",
+ "modified": "2025-04-16T23:03:16.338Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to download programs to Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json b/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json
index 20fd000235..22881cba53 100644
--- a/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json
+++ b/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--967b9783-40c4-4a52-a02b-8f5775b71c3b",
+ "id": "bundle--69c4ad49-64c2-4590-8a30-930a7979159d",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.080Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:16.555Z",
"description": "Consider removing or restricting features that are unnecessary to an asset's intended function within the control environment.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7",
"target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json b/ics-attack/relationship/relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json
index 4d62068b91..6d0309f0d0 100644
--- a/ics-attack/relationship/relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json
+++ b/ics-attack/relationship/relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--607d6975-08b3-4977-8148-b3db18d4f15a",
+ "id": "bundle--6bfd063b-06f3-4274-9316-2869cb9b8740",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd",
"created": "2022-09-27T15:27:00.387Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T15:27:00.387Z",
+ "modified": "2025-04-16T23:03:16.766Z",
"description": "Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7c329018-b591-42c4-8806-4d02ccd47476.json b/ics-attack/relationship/relationship--7c329018-b591-42c4-8806-4d02ccd47476.json
index f088d7857e..273ed86a14 100644
--- a/ics-attack/relationship/relationship--7c329018-b591-42c4-8806-4d02ccd47476.json
+++ b/ics-attack/relationship/relationship--7c329018-b591-42c4-8806-4d02ccd47476.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4ec3e860-e696-42ef-9fdb-0b55117754c6",
+ "id": "bundle--90c56429-5691-4ff0-8f7f-3217fbf059c0",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:55:36.262Z",
+ "modified": "2025-04-16T23:03:16.975Z",
"description": "Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json b/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json
index a20f6610c4..6ae9dc8780 100644
--- a/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json
+++ b/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a5c869f3-1aa2-40f3-9942-e8b94d3ff22a",
+ "id": "bundle--eb440f66-d666-4420-8320-d63837921a7e",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:26:34.069Z",
+ "modified": "2025-04-16T23:03:17.196Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604) toggles breakers to the open state utilizing unauthorized command messages. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23.json b/ics-attack/relationship/relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23.json
index ff826f8012..065ce0b82c 100644
--- a/ics-attack/relationship/relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23.json
+++ b/ics-attack/relationship/relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0e544707-8652-4695-ba8e-5a769e43e9dd",
+ "id": "bundle--98053477-e816-4eac-a8b0-438b7772d657",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23",
"created": "2023-09-29T18:48:29.126Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:48:29.126Z",
+ "modified": "2025-04-16T23:03:17.412Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95.json b/ics-attack/relationship/relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95.json
index 877347430b..08274629bd 100644
--- a/ics-attack/relationship/relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95.json
+++ b/ics-attack/relationship/relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f0a18bf1-f5b6-4e08-8b81-bd201db2c725",
+ "id": "bundle--ad227450-4f29-4f2f-bfc5-a50486e43859",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-29T14:05:12.676Z",
+ "modified": "2025-04-16T23:03:17.615Z",
"description": "Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd",
"target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json b/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json
index 4382e2692b..13ce800bdf 100644
--- a/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json
+++ b/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4dc01e71-a299-4d3c-b22d-e9f26a6cce4c",
+ "id": "bundle--bdfb5e18-da11-4b95-90bd-73564eee545f",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:13:43.688Z",
+ "modified": "2025-04-16T23:03:17.887Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603)'s infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7cd47eb6-e73a-4a0b-a62e-7e066090b804.json b/ics-attack/relationship/relationship--7cd47eb6-e73a-4a0b-a62e-7e066090b804.json
index 0b922d4424..bfdd2d3871 100644
--- a/ics-attack/relationship/relationship--7cd47eb6-e73a-4a0b-a62e-7e066090b804.json
+++ b/ics-attack/relationship/relationship--7cd47eb6-e73a-4a0b-a62e-7e066090b804.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--845164e6-83ef-49de-8079-fd2d1392e590",
+ "id": "bundle--7a3d1e5f-947c-49c9-a0e3-082f0a2565e2",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-17T15:20:07.527Z",
+ "modified": "2025-04-16T23:03:18.083Z",
"description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used the MicroSCADA SCIL-API to specify a set of SCADA instructions, including the sending of unauthorized commands to substation devices.(Citation: Mandiant-Sandworm-Ukraine-2022)",
"relationship_type": "uses",
"source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json b/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json
index b0ac127422..a4ae5bba18 100644
--- a/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json
+++ b/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--2718eb1b-ce57-4048-8818-4eee9e6db0ed",
+ "id": "bundle--4fe512f3-cbd9-44a4-be82-51f20cd8f799",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.072Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:18.320Z",
"description": "Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
"target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7d2db896-3051-483c-bc53-ca21832ee085.json b/ics-attack/relationship/relationship--7d2db896-3051-483c-bc53-ca21832ee085.json
index 7a677e0a59..b0102008f6 100644
--- a/ics-attack/relationship/relationship--7d2db896-3051-483c-bc53-ca21832ee085.json
+++ b/ics-attack/relationship/relationship--7d2db896-3051-483c-bc53-ca21832ee085.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--efef2406-2a4d-4d18-9fc7-6ca16f6f1882",
+ "id": "bundle--81ee8551-2caa-4e4c-a68a-02e0ccc2ae85",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:47:23.983Z",
+ "modified": "2025-04-16T23:03:18.520Z",
"description": "Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json b/ics-attack/relationship/relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json
index 92a8749471..5aa3e7023b 100644
--- a/ics-attack/relationship/relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json
+++ b/ics-attack/relationship/relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0f763095-dd1f-4294-aace-41e20e358082",
+ "id": "bundle--7d592fea-3b40-435e-8ac4-504229ad3ce0",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:39:20.443Z",
+ "modified": "2025-04-16T23:03:18.748Z",
"description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7d42ba22-9595-4463-8dda-c0e47a154fed.json b/ics-attack/relationship/relationship--7d42ba22-9595-4463-8dda-c0e47a154fed.json
index 1768ecf43c..838ee51974 100644
--- a/ics-attack/relationship/relationship--7d42ba22-9595-4463-8dda-c0e47a154fed.json
+++ b/ics-attack/relationship/relationship--7d42ba22-9595-4463-8dda-c0e47a154fed.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--860cbf65-d7dd-496d-a887-73fba6540b13",
+ "id": "bundle--341d37c3-eda6-47d3-8b67-16add3a1700d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7d42ba22-9595-4463-8dda-c0e47a154fed",
"created": "2023-09-28T20:07:48.301Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:07:48.301Z",
+ "modified": "2025-04-16T23:03:18.952Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json b/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json
index 92bdfe0a1b..425d130073 100644
--- a/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json
+++ b/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8076adde-b3d5-4e75-a979-d98224ffd137",
+ "id": "bundle--39b7c424-2224-40f6-8c19-525e5a106a98",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T13:49:40.767Z",
+ "modified": "2025-04-16T23:03:19.166Z",
"description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json b/ics-attack/relationship/relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json
index 4a199dc5e2..873468975d 100644
--- a/ics-attack/relationship/relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json
+++ b/ics-attack/relationship/relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f158c1a5-60a5-40d2-973a-d39135ec7825",
+ "id": "bundle--03c2d30a-3aa3-4506-9e4c-d08d9b163cf4",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:14:40.227Z",
+ "modified": "2025-04-16T23:03:19.400Z",
"description": "Monitor executed commands and arguments to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may then perform these actions using [Valid Accounts](https://attack.mitre.org/techniques/T0859).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json b/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json
index 813abe8577..d74cefa342 100644
--- a/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json
+++ b/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e6e1ca2e-166a-4dc9-947e-9460ed7819c1",
+ "id": "bundle--6a5c7d7b-9475-4a01-808a-c56fa2315741",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:29:53.545Z",
+ "modified": "2025-04-16T23:03:19.600Z",
"description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7d752615-33f0-44ed-a156-25d84f384e75.json b/ics-attack/relationship/relationship--7d752615-33f0-44ed-a156-25d84f384e75.json
index 050e012765..bdcc12c615 100644
--- a/ics-attack/relationship/relationship--7d752615-33f0-44ed-a156-25d84f384e75.json
+++ b/ics-attack/relationship/relationship--7d752615-33f0-44ed-a156-25d84f384e75.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eb107f60-b098-4ee7-8e80-0d2fccaeed75",
+ "id": "bundle--29b6992f-6d63-4729-b3b6-6dd73b95881a",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.261Z",
+ "modified": "2025-04-16T23:03:19.824Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), power company phone line operators were hit with a denial of service attack so that they couldn\u2019t field customers\u2019 calls about outages. Operators were also denied service to their downstream devices when their serial-to-ethernet converters had their firmware overwritten, which bricked the devices. (Citation: Ukraine15 - EISAC - 201603)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json b/ics-attack/relationship/relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json
index 857f08dc2d..18bc27e4c9 100644
--- a/ics-attack/relationship/relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json
+++ b/ics-attack/relationship/relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2606c7aa-8824-4276-861a-1e1f36690bd4",
+ "id": "bundle--6a2ed38f-5035-4908-8a9f-e686d4fc8c89",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:54:12.966Z",
- "description": "Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) and [System Network Connections Discovery](https://attack.mitre.org/techniques/T1049).",
+ "modified": "2025-04-16T23:03:20.034Z",
+ "description": "Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see [System Network Configuration Discovery Mitigation](https://attack.mitre.org/mitigations/T1016) and [System Network Connections Discovery Mitigation](https://attack.mitre.org/mitigations/T1049).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
"target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json b/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json
index 780df1caaa..797e105611 100644
--- a/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json
+++ b/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--51c9132f-16ea-43ef-b7e1-00181a12ab1c",
+ "id": "bundle--04bd07d4-068b-4262-9704-42ddab71b1fd",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--7db9687b-7099-4cb6-a040-bc32fc549a81",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--7db9687b-7099-4cb6-a040-bc32fc549a81",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.195Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:20.268Z",
"description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b.json b/ics-attack/relationship/relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b.json
index 7cce617956..9c902f2c3e 100644
--- a/ics-attack/relationship/relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b.json
+++ b/ics-attack/relationship/relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c03e9833-200f-4575-b5aa-79d02ed0e7cb",
+ "id": "bundle--c3281996-f977-4d32-9228-e79a8e5f67a7",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b",
"created": "2024-04-09T20:53:54.209Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:53:54.209Z",
+ "modified": "2025-04-16T23:03:20.498Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json b/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json
index 816a55ffe9..64e8d79a34 100644
--- a/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json
+++ b/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--c7932763-2461-4789-9a3d-36c8b20506e9",
+ "id": "bundle--dc15ff56-c999-4fc1-a01b-cfe4084c1f4d",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--7dedeb73-ef90-4282-a635-cc37326773af",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.083Z",
- "relationship_type": "mitigates",
- "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n",
- "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc",
- "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014",
@@ -23,9 +15,16 @@
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:20.721Z",
+ "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc",
+ "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7e87ce08-a428-4e55-876e-80d2760121a5.json b/ics-attack/relationship/relationship--7e87ce08-a428-4e55-876e-80d2760121a5.json
index 64610f2467..89c6e9e6bb 100644
--- a/ics-attack/relationship/relationship--7e87ce08-a428-4e55-876e-80d2760121a5.json
+++ b/ics-attack/relationship/relationship--7e87ce08-a428-4e55-876e-80d2760121a5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6898c22f-4fa9-4f2e-b680-95b72474fe26",
+ "id": "bundle--8f8b1c3d-70d3-4fe8-a39d-3ca6e609a844",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:37:35.099Z",
+ "modified": "2025-04-16T23:03:20.920Z",
"description": "Monitor executed commands and arguments for actions that could be taken to collect internal data.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858.json b/ics-attack/relationship/relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858.json
index e84577efdb..eae7483847 100644
--- a/ics-attack/relationship/relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858.json
+++ b/ics-attack/relationship/relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1961eb75-1636-4f86-8289-af14ef7ea23f",
+ "id": "bundle--90b79bff-c470-4ee8-b3a6-384479da56fb",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858",
"created": "2023-09-29T16:32:46.335Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:32:46.335Z",
+ "modified": "2025-04-16T23:03:21.134Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706.json b/ics-attack/relationship/relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706.json
index 9c084d7ed5..b8ce36de04 100644
--- a/ics-attack/relationship/relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706.json
+++ b/ics-attack/relationship/relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--49a9d467-3fda-4e13-94e4-4037e48abfd9",
+ "id": "bundle--0ec77d3b-876e-44d3-a0f0-5fa1de6a1f1f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706",
"created": "2023-09-28T20:28:16.122Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:28:16.122Z",
+ "modified": "2025-04-16T23:03:21.376Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7.json b/ics-attack/relationship/relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7.json
index 2bf0b9541c..fdc52cc224 100644
--- a/ics-attack/relationship/relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7.json
+++ b/ics-attack/relationship/relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2531ba1d-0af6-426b-a657-2c9729e91e16",
+ "id": "bundle--5a979391-68bd-4673-b2ea-464b6f89ea26",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7",
"created": "2023-09-29T17:43:22.756Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:43:22.756Z",
+ "modified": "2025-04-16T23:03:21.575Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec.json b/ics-attack/relationship/relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec.json
index 2d00e8240d..946c1611c0 100644
--- a/ics-attack/relationship/relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec.json
+++ b/ics-attack/relationship/relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--11172f3d-83ae-4de6-85d3-37036554e754",
+ "id": "bundle--3309f4f2-e96f-4672-b135-9929d23ca8a6",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T18:40:55.168Z",
+ "modified": "2025-04-16T23:03:21.789Z",
"description": "Monitor for application logging, messaging, and/or other artifacts that may result from Denial of Service (DoS) attacks which degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json b/ics-attack/relationship/relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json
index b2e1c77131..62393e52f7 100644
--- a/ics-attack/relationship/relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json
+++ b/ics-attack/relationship/relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--fffaf11c-7c55-4dcb-ad14-fcfa97ceb444",
+ "id": "bundle--8bcaa7f7-749f-4668-9f2c-a8bd18b7572e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3",
"created": "2022-09-26T15:24:07.122Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:24:07.122Z",
+ "modified": "2025-04-16T23:03:21.984Z",
"description": "Monitor asset application logs which may provide information about requests for points or tags. Look for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many devices provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json b/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json
index a1d97b4053..b4af8f377f 100644
--- a/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json
+++ b/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--497cbce4-3595-4345-9675-4d3dea23b6ad",
+ "id": "bundle--d5d05c13-2b3c-4410-91fd-ba63dd56f9a9",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.071Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:22.214Z",
"description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
"target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json b/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json
index df80bf0d66..a175f49eb4 100644
--- a/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json
+++ b/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--bd90f3d9-68c0-4354-a0cc-3951288bd27d",
+ "id": "bundle--f5a0b5ef-8868-4f36-b742-8db6d4892c8f",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.152Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:22.426Z",
"description": "Limit privileges of user accounts and groups so that only designated administrators or engineers can interact with alarm management and alarm configuration thresholds.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48",
"target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json b/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json
index 450a3c972c..23190d4611 100644
--- a/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json
+++ b/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--a04a6ec4-2b76-4f2e-b6e1-e579c4cab8b6",
+ "id": "bundle--867a3814-28f8-4e27-a4c3-f44d653cfda8",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.114Z",
- "relationship_type": "mitigates",
- "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n",
- "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea",
- "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Dan Goodin March 2017",
@@ -23,9 +15,16 @@
"url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:22.643Z",
+ "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea",
+ "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json b/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json
index b707cd5054..fb0dd7d1fd 100644
--- a/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json
+++ b/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--16bf5788-0f0d-427f-8f12-a5f3e3bded2f",
+ "id": "bundle--8dcaf005-b7d3-465a-a2f9-95f4256cf0e4",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T16:43:45.457Z",
+ "modified": "2025-04-16T23:03:22.903Z",
"description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json b/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json
index 0de3423018..c34c619507 100644
--- a/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json
+++ b/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--041f410e-ae68-460f-8fe5-8e27ace25fd9",
+ "id": "bundle--e041e3bd-aa52-404a-8799-854924f04296",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.098Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:23.140Z",
"description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json b/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json
index fdac694eba..36fa623ed6 100644
--- a/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json
+++ b/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--79a8f8eb-18b5-4955-8964-e9231e85df81",
+ "id": "bundle--73eefeee-a7f3-493b-9bcf-773167763c71",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.442Z",
+ "modified": "2025-04-16T23:03:23.373Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) includes a library that creates Modbus connections with a device to request its device ID.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b.json b/ics-attack/relationship/relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b.json
index 6f1570b38f..c04dc6716f 100644
--- a/ics-attack/relationship/relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b.json
+++ b/ics-attack/relationship/relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e858f9ab-a7af-4c9c-9747-48125b0ba4b8",
+ "id": "bundle--cb9fbee8-ccfc-44ba-b2b7-5d8537c9c1e1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b",
"created": "2024-03-25T20:17:49.585Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-25T20:17:49.585Z",
+ "modified": "2025-04-16T23:03:23.570Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--81055366-e78b-40e0-a799-4b536ba03db3.json b/ics-attack/relationship/relationship--81055366-e78b-40e0-a799-4b536ba03db3.json
index 05aaeba53f..7e8987925a 100644
--- a/ics-attack/relationship/relationship--81055366-e78b-40e0-a799-4b536ba03db3.json
+++ b/ics-attack/relationship/relationship--81055366-e78b-40e0-a799-4b536ba03db3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8c9c10b3-130a-4dac-ad8e-e9045c64ee29",
+ "id": "bundle--6f863233-4ad3-4948-a4df-c97017f251e6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--81055366-e78b-40e0-a799-4b536ba03db3",
"created": "2023-09-29T18:45:22.474Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:45:22.474Z",
+ "modified": "2025-04-16T23:03:23.776Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--81117328-e2bb-431c-a1ca-6ba7e6816637.json b/ics-attack/relationship/relationship--81117328-e2bb-431c-a1ca-6ba7e6816637.json
index 7f7be6f81b..996bf8de95 100644
--- a/ics-attack/relationship/relationship--81117328-e2bb-431c-a1ca-6ba7e6816637.json
+++ b/ics-attack/relationship/relationship--81117328-e2bb-431c-a1ca-6ba7e6816637.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7a150eae-e608-48ba-9b01-7b272d9440d4",
+ "id": "bundle--baaa6764-a1ac-4af5-92a9-bace96a858a2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--81117328-e2bb-431c-a1ca-6ba7e6816637",
"created": "2022-09-26T16:25:38.511Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:25:38.511Z",
+ "modified": "2025-04-16T23:03:23.972Z",
"description": "Consult asset management systems to understand expected program versions.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--81352e47-4317-45e3-88b9-a97dd2166727.json b/ics-attack/relationship/relationship--81352e47-4317-45e3-88b9-a97dd2166727.json
index 301a1d92e0..d7ec1be675 100644
--- a/ics-attack/relationship/relationship--81352e47-4317-45e3-88b9-a97dd2166727.json
+++ b/ics-attack/relationship/relationship--81352e47-4317-45e3-88b9-a97dd2166727.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0d5bfaf4-8d46-40f4-bd0a-2e39f6ebead8",
+ "id": "bundle--285dd6c2-2e89-443d-baba-03e01040653c",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-10T15:01:17.504Z",
+ "modified": "2025-04-16T23:03:24.181Z",
"description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.(Citation: FireEye TRITON Dec 2017)",
"relationship_type": "uses",
"source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6.json b/ics-attack/relationship/relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6.json
index cd77963cdd..380a6316dc 100644
--- a/ics-attack/relationship/relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6.json
+++ b/ics-attack/relationship/relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--86730728-be06-4ec8-a4be-3fe8ae49a6f6",
+ "id": "bundle--230fa484-e16c-49db-86cd-e4c179e45e72",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6",
"created": "2023-09-28T20:11:42.579Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:11:42.579Z",
+ "modified": "2025-04-16T23:03:24.426Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--81806f43-c9aa-486e-8032-4e4665ba0d39.json b/ics-attack/relationship/relationship--81806f43-c9aa-486e-8032-4e4665ba0d39.json
index 580f7aef1b..21180d60aa 100644
--- a/ics-attack/relationship/relationship--81806f43-c9aa-486e-8032-4e4665ba0d39.json
+++ b/ics-attack/relationship/relationship--81806f43-c9aa-486e-8032-4e4665ba0d39.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ac2ce49a-be66-4ca1-a658-65e8a96fa7eb",
+ "id": "bundle--5eab504e-05ec-4a18-b5eb-38c500711f88",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--81806f43-c9aa-486e-8032-4e4665ba0d39",
"created": "2023-09-29T18:43:13.760Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:43:13.760Z",
+ "modified": "2025-04-16T23:03:24.650Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json b/ics-attack/relationship/relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json
index 1db09bd792..5260234b61 100644
--- a/ics-attack/relationship/relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json
+++ b/ics-attack/relationship/relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--97f27355-50ef-4951-a770-43a4cbf69f3d",
+ "id": "bundle--66e1e875-834d-4444-b5c7-2bacfe4c6c11",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32",
"created": "2023-09-28T21:13:00.330Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:13:00.330Z",
+ "modified": "2025-04-16T23:03:24.878Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--81add433-49d8-43ec-85d5-f48fe80e56e7.json b/ics-attack/relationship/relationship--81add433-49d8-43ec-85d5-f48fe80e56e7.json
index 2c3c64269a..788f07e95b 100644
--- a/ics-attack/relationship/relationship--81add433-49d8-43ec-85d5-f48fe80e56e7.json
+++ b/ics-attack/relationship/relationship--81add433-49d8-43ec-85d5-f48fe80e56e7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0a5e0790-17ec-4780-a439-491916141d7a",
+ "id": "bundle--2a4e2d45-4149-4868-afa5-e2413cb09a65",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:44:21.000Z",
+ "modified": "2025-04-16T23:03:25.091Z",
"description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
"target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json b/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json
index 7cec254d75..d9b03a83f5 100644
--- a/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json
+++ b/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--d6a2bb1b-43b9-4304-ad9e-1ee3b251c74d",
+ "id": "bundle--a413072e-c785-4980-a2ef-dfc339116719",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--81ca994a-b350-424d-8f39-a0b64aa76260",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--81ca994a-b350-424d-8f39-a0b64aa76260",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.204Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:25.325Z",
"description": "Users can be trained to identify social engineering techniques and spearphishing emails.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json b/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json
index 02a966af82..aba3ad01ad 100644
--- a/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json
+++ b/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--01b7cdee-f33c-4b64-89d7-0a351892e9ce",
+ "id": "bundle--b1880208-f3b2-4428-a752-c1e03b4447a0",
"spec_version": "2.0",
"objects": [
{
@@ -12,8 +12,8 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
},
{
"source_name": "Langer Stuxnet",
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-17T16:00:35.053Z",
+ "modified": "2025-04-16T23:03:25.567Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened. (Citation: Langer Stuxnet)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409.json b/ics-attack/relationship/relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409.json
index 0ca7928a40..8b38ea1a77 100644
--- a/ics-attack/relationship/relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409.json
+++ b/ics-attack/relationship/relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7d707ea4-1853-4785-9b76-6777dbec9de5",
+ "id": "bundle--af9783cd-9697-43c9-91ef-e3ee0033a0ba",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T16:42:35.018Z",
- "description": "Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.",
+ "modified": "2025-04-16T23:03:25.772Z",
+ "description": "Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal on Host Mitigation](https://attack.mitre.org/mitigations/T1070) and applicable sub-techniques.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e",
"target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--83a964cb-730c-44e4-859b-b5246159396b.json b/ics-attack/relationship/relationship--83a964cb-730c-44e4-859b-b5246159396b.json
index 20b4488859..6531670365 100644
--- a/ics-attack/relationship/relationship--83a964cb-730c-44e4-859b-b5246159396b.json
+++ b/ics-attack/relationship/relationship--83a964cb-730c-44e4-859b-b5246159396b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c7ebd53b-d5cb-429b-bced-1ea6e82f8cd9",
+ "id": "bundle--92261bee-6189-4933-98c3-59c2fcc2ff01",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--83a964cb-730c-44e4-859b-b5246159396b",
"created": "2023-09-29T17:59:43.275Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:59:43.275Z",
+ "modified": "2025-04-16T23:03:25.998Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json b/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json
index d6d814c7f2..6a621c4021 100644
--- a/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json
+++ b/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bb001715-29b0-42ee-98f2-d0b111f40f31",
+ "id": "bundle--a084b328-475d-4093-8303-9e9269ac59c1",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:27:02.814Z",
+ "modified": "2025-04-16T23:03:26.229Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json b/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json
index 4fdeab4568..1c17845352 100644
--- a/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json
+++ b/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--41d789e6-bb5c-4fcf-9d4a-ca90d1d92317",
+ "id": "bundle--0d810f26-a758-4700-9c16-96a00ab12af0",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T14:53:48.947Z",
+ "modified": "2025-04-16T23:03:26.438Z",
"description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SIPROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. (Citation: Joe Slowik August 2019)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json b/ics-attack/relationship/relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json
index 3fae61e7b2..7cc33069e9 100644
--- a/ics-attack/relationship/relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json
+++ b/ics-attack/relationship/relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9abf4faa-46ba-4bef-bfec-c7ab71ddbbfe",
+ "id": "bundle--e7954324-6ca2-45cc-8112-c514f1b8995a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:32:52.932Z",
+ "modified": "2025-04-16T23:03:26.648Z",
"description": "Monitor for newly constructed drive letters or mount points to removable media.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f",
"target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json b/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json
index 18d8969f50..d6bf22c4f8 100644
--- a/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json
+++ b/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4abaa77d-a624-4b78-9ba1-a3c41e7f22ea",
+ "id": "bundle--b55bcec2-dd4a-4389-ac73-8b53726cdda8",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:49:11.920Z",
+ "modified": "2025-04-16T23:03:26.883Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604) contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json b/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json
index c886985ddc..b1040554af 100644
--- a/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json
+++ b/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--40737de9-47ba-4b0c-b042-25528cf1024a",
+ "id": "bundle--1bc52e2e-8142-4a9f-a4ce-9b5aa4dfd6ab",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.187Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:27.085Z",
"description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--84671396-a556-4a5d-9bb9-cac697277371.json b/ics-attack/relationship/relationship--84671396-a556-4a5d-9bb9-cac697277371.json
index ae40df9eb5..1323ddd4ba 100644
--- a/ics-attack/relationship/relationship--84671396-a556-4a5d-9bb9-cac697277371.json
+++ b/ics-attack/relationship/relationship--84671396-a556-4a5d-9bb9-cac697277371.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1298bdf1-6a83-4bd7-a47b-4744f4bb679c",
+ "id": "bundle--adef8e34-b712-40ff-8b89-7d7ebc6e3cd2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--84671396-a556-4a5d-9bb9-cac697277371",
"created": "2023-09-29T16:31:12.255Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:31:12.255Z",
+ "modified": "2025-04-16T23:03:27.313Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json b/ics-attack/relationship/relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json
index 803a7d7339..026472ca43 100644
--- a/ics-attack/relationship/relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json
+++ b/ics-attack/relationship/relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--86fc7c22-72a0-4946-886d-6ddf8627bf81",
+ "id": "bundle--4196a997-e5b2-48a0-aafc-cb6f45f4726f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65",
"created": "2023-09-28T21:11:15.610Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:11:15.610Z",
+ "modified": "2025-04-16T23:03:27.552Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--84fa50ff-bb84-4ab6-b759-658c57532c42.json b/ics-attack/relationship/relationship--84fa50ff-bb84-4ab6-b759-658c57532c42.json
index 0f5004c276..ce78b9afe0 100644
--- a/ics-attack/relationship/relationship--84fa50ff-bb84-4ab6-b759-658c57532c42.json
+++ b/ics-attack/relationship/relationship--84fa50ff-bb84-4ab6-b759-658c57532c42.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--35f30544-a819-4435-85e2-b7c8bbf32f38",
+ "id": "bundle--beb9a422-f2f4-4aff-bcaa-24e06b666e84",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--84fa50ff-bb84-4ab6-b759-658c57532c42",
"created": "2023-09-29T16:32:09.319Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:32:09.319Z",
+ "modified": "2025-04-16T23:03:27.783Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json b/ics-attack/relationship/relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json
index 31b17fa535..1f19a3d681 100644
--- a/ics-attack/relationship/relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json
+++ b/ics-attack/relationship/relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--be048b5c-cc8a-4e50-8025-a005baae934e",
+ "id": "bundle--2e4eeb38-6a14-4c4b-9f9a-6f9e47ecd7b8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7",
"created": "2023-09-29T18:01:32.878Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:01:32.878Z",
+ "modified": "2025-04-16T23:03:28.038Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75.json b/ics-attack/relationship/relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75.json
index 4d2f217257..024b537873 100644
--- a/ics-attack/relationship/relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75.json
+++ b/ics-attack/relationship/relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--506e54ae-6eb8-4f0e-a8c3-beeb8bc37e34",
+ "id": "bundle--7a2488f4-73c5-445d-b4b8-0878e682194e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75",
"created": "2023-09-29T17:59:22.291Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:59:22.291Z",
+ "modified": "2025-04-16T23:03:28.278Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--856e18a8-df82-402a-9105-ff4b7e4caf12.json b/ics-attack/relationship/relationship--856e18a8-df82-402a-9105-ff4b7e4caf12.json
new file mode 100644
index 0000000000..6bd8ff15e6
--- /dev/null
+++ b/ics-attack/relationship/relationship--856e18a8-df82-402a-9105-ff4b7e4caf12.json
@@ -0,0 +1,37 @@
+{
+ "type": "bundle",
+ "id": "bundle--5568f567-df5b-4c46-a6a1-9485892d4b31",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--856e18a8-df82-402a-9105-ff4b7e4caf12",
+ "created": "2024-11-20T23:07:17.528Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Dragos FROSTYGOOP 2024",
+ "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
+ "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
+ },
+ {
+ "source_name": "Nozomi BUSTLEBERM 2024",
+ "description": "Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024.",
+ "url": "https://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:28.490Z",
+ "description": "[FrostyGoop](https://attack.mitre.org/software/S1165) is compiled for Windows systems and leverages a Windows-based command line interface.(Citation: Dragos FROSTYGOOP 2024) Modbus interaction functionality is based off a publicly available Github repository for command line input.(Citation: Nozomi BUSTLEBERM 2024)",
+ "relationship_type": "uses",
+ "source_ref": "malware--b34df04a-9d30-4d84-a03f-0d536ee19a05",
+ "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json b/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json
index a653b9ce66..b884db64cd 100644
--- a/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json
+++ b/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6a5a7966-4d8d-439e-a0f7-05eb207fa0ac",
+ "id": "bundle--48abe8f9-c34d-4a38-a030-1afe7364397e",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.443Z",
+ "modified": "2025-04-16T23:03:28.791Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use a Telnet session to load a malware implant on Omron PLCs.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc.json b/ics-attack/relationship/relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc.json
index 71f44c64f3..860fc9aa55 100644
--- a/ics-attack/relationship/relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc.json
+++ b/ics-attack/relationship/relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a9c14dbe-3130-42d2-b256-43284d7bfd76",
+ "id": "bundle--1d35c589-3d1a-48f6-b019-46e21fd31236",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc",
"created": "2023-09-28T19:58:13.866Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:58:13.866Z",
+ "modified": "2025-04-16T23:03:29.013Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72.json b/ics-attack/relationship/relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72.json
index 27c614ef48..24ccc2e386 100644
--- a/ics-attack/relationship/relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72.json
+++ b/ics-attack/relationship/relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4d8df553-fd8a-4767-a5f0-8e38528d1e20",
+ "id": "bundle--4a3b991f-d4e5-46c4-a5b1-dd05e801480c",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:01:39.537Z",
+ "modified": "2025-04-16T23:03:29.217Z",
"description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--86c94552-de59-453d-ac06-28a6a64db930.json b/ics-attack/relationship/relationship--86c94552-de59-453d-ac06-28a6a64db930.json
index 80f639867c..f9700eb8f5 100644
--- a/ics-attack/relationship/relationship--86c94552-de59-453d-ac06-28a6a64db930.json
+++ b/ics-attack/relationship/relationship--86c94552-de59-453d-ac06-28a6a64db930.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f45cdec0-64ea-488a-b4c2-9cb095aabd9c",
+ "id": "bundle--b79febc3-0377-43b4-91d2-f7b876cc7bd6",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:47:46.836Z",
+ "modified": "2025-04-16T23:03:29.440Z",
"description": "Monitor device application logs which may contain information related to operating mode changes, although not all devices produce such logs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json b/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json
index 722371d907..877159dc9e 100644
--- a/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json
+++ b/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--41f455e7-576b-4e8e-9b16-09a288ce8b51",
+ "id": "bundle--bb80e3bb-090a-4852-904d-8816f542b446",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.166Z",
- "relationship_type": "mitigates",
- "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:29.643Z",
+ "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c.json b/ics-attack/relationship/relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c.json
index ec6d65b5df..096e528b8c 100644
--- a/ics-attack/relationship/relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c.json
+++ b/ics-attack/relationship/relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--587a5af8-c206-43f9-889d-8bfe6ace52ef",
+ "id": "bundle--e59039a9-2648-48db-9c79-caf3a21ce79e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c",
"created": "2023-09-28T21:09:41.659Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:09:41.659Z",
+ "modified": "2025-04-16T23:03:29.875Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97.json b/ics-attack/relationship/relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97.json
index 34609597ed..aff151d426 100644
--- a/ics-attack/relationship/relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97.json
+++ b/ics-attack/relationship/relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--316f5526-fe34-4322-b7c4-11d955397f93",
+ "id": "bundle--efd404fa-d465-4e37-abc5-7ad23c27dba3",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:18:43.413Z",
+ "modified": "2025-04-16T23:03:30.082Z",
"description": "Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json b/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json
index 367e5fc67c..c4b16e1361 100644
--- a/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json
+++ b/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--358badf5-0268-461e-a48f-885449a49aea",
+ "id": "bundle--4c9c4410-84fb-48aa-8a42-288844d07c40",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:13:57.066Z",
+ "modified": "2025-04-16T23:03:30.320Z",
"description": "Protect files with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
"target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json b/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json
index 979deda23f..ff23d03d1f 100644
--- a/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json
+++ b/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4cea5005-d0a2-4dd1-8681-9524b0fb7381",
+ "id": "bundle--d3948f3d-4f39-4422-8c34-11f5385837fa",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-30T14:37:52.169Z",
+ "modified": "2025-04-16T23:03:30.532Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a hardcoded password in the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json b/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json
index bb28568c70..29d2653ced 100644
--- a/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json
+++ b/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3b0e7481-fac6-4629-9078-b29060b2b4d7",
+ "id": "bundle--b660b72c-10e0-4d44-8783-d059ed8350fb",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:49:35.368Z",
+ "modified": "2025-04-16T23:03:30.772Z",
"description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--87eb5825-c918-444f-8da5-67da9eea9906.json b/ics-attack/relationship/relationship--87eb5825-c918-444f-8da5-67da9eea9906.json
index d30746b53d..351e2bd9ac 100644
--- a/ics-attack/relationship/relationship--87eb5825-c918-444f-8da5-67da9eea9906.json
+++ b/ics-attack/relationship/relationship--87eb5825-c918-444f-8da5-67da9eea9906.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--37f78ba7-ce89-4676-b31f-a04a83f7f67f",
+ "id": "bundle--dc30a936-82fb-494d-ba49-a589d5b982f1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--87eb5825-c918-444f-8da5-67da9eea9906",
"created": "2022-09-26T17:14:52.427Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T17:14:52.427Z",
+ "modified": "2025-04-16T23:03:30.996Z",
"description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab.json b/ics-attack/relationship/relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab.json
index 9f9c6f7a33..beacdef98b 100644
--- a/ics-attack/relationship/relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab.json
+++ b/ics-attack/relationship/relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c531e777-25ef-48f7-872d-3b876f7926c9",
+ "id": "bundle--b840130c-ec29-4ca4-aa1e-1a8e4af4a707",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:10:18.233Z",
+ "modified": "2025-04-16T23:03:31.203Z",
"description": "Some asset application logs may provide information on I/O points related to write commands. Monitor for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce.json b/ics-attack/relationship/relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce.json
index 52485580d5..2bdae421f5 100644
--- a/ics-attack/relationship/relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce.json
+++ b/ics-attack/relationship/relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a7966c0d-a87e-48db-b0e1-e4ae33c951c9",
+ "id": "bundle--4c5f0b66-216d-4f39-8aec-8a9d865d3de8",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:49:19.854Z",
+ "modified": "2025-04-16T23:03:31.430Z",
"description": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5",
"target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2.json b/ics-attack/relationship/relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2.json
index 19bcab2443..3685aae787 100644
--- a/ics-attack/relationship/relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2.json
+++ b/ics-attack/relationship/relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b9d7de41-5cc3-4f9d-b553-662c94d4fca7",
+ "id": "bundle--5944440e-b53b-4d28-847c-6782b5c92be8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2",
"created": "2023-09-28T21:24:07.864Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:24:07.864Z",
+ "modified": "2025-04-16T23:03:31.654Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--892c0bff-17b6-447b-a213-6a3189a1df82.json b/ics-attack/relationship/relationship--892c0bff-17b6-447b-a213-6a3189a1df82.json
index 93f5dccd9c..839a915e8c 100644
--- a/ics-attack/relationship/relationship--892c0bff-17b6-447b-a213-6a3189a1df82.json
+++ b/ics-attack/relationship/relationship--892c0bff-17b6-447b-a213-6a3189a1df82.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--594aece6-8955-4ffd-a95a-5ea08bdaceb6",
+ "id": "bundle--11e17006-40d3-4d25-8167-4a7ab1b18462",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:51:45.844Z",
+ "modified": "2025-04-16T23:03:32.003Z",
"description": "Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--897cfc36-4253-4e1e-8825-726dbe9088a2.json b/ics-attack/relationship/relationship--897cfc36-4253-4e1e-8825-726dbe9088a2.json
index 8ff35cf426..96c942b412 100644
--- a/ics-attack/relationship/relationship--897cfc36-4253-4e1e-8825-726dbe9088a2.json
+++ b/ics-attack/relationship/relationship--897cfc36-4253-4e1e-8825-726dbe9088a2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--621d5d41-2208-465f-8145-34a7a2fdebd7",
+ "id": "bundle--480f95cf-416b-438f-8d35-3806e3b46c31",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--897cfc36-4253-4e1e-8825-726dbe9088a2",
"created": "2023-09-28T19:55:02.944Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:55:02.944Z",
+ "modified": "2025-04-16T23:03:32.235Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44.json b/ics-attack/relationship/relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44.json
index 71245252bf..b1f562669a 100644
--- a/ics-attack/relationship/relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44.json
+++ b/ics-attack/relationship/relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b21f6d68-a240-4247-918f-21293e8566a6",
+ "id": "bundle--ae96f600-4191-4df6-b552-3b2ce8c0939b",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T18:41:09.265Z",
+ "modified": "2025-04-16T23:03:32.445Z",
"description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json b/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json
index caab52b25c..446f7bba9f 100644
--- a/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json
+++ b/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a26d0773-f59f-46dd-9caf-cd666cb811e5",
+ "id": "bundle--9140522e-fe84-443b-a44b-399f2c6118b3",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-19T17:31:56.055Z",
+ "modified": "2025-04-16T23:03:32.672Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects DLL's associated with the WinCC Simatic manager which are responsible for opening project files. If a user opens an uninfected project file using a compromised manager, the file will be infected with Stuxnet code. If an infected project is opened with the Simatic manager, the modified data file will trigger a search for the `xyz.dll` file. If the `xyz.dll` file is not found in any of the specified locations, the malicious DLL will be loaded and executed by the manager. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf.json b/ics-attack/relationship/relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf.json
index b1c230f373..4e11c660c5 100644
--- a/ics-attack/relationship/relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf.json
+++ b/ics-attack/relationship/relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c07edcc1-5472-4e14-9fe3-1b0e86808660",
+ "id": "bundle--bfe3f014-ebf0-4ea7-886c-2a993b9c987f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf",
"created": "2023-03-30T19:01:40.038Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:01:40.038Z",
+ "modified": "2025-04-16T23:03:32.878Z",
"description": "Monitor for any suspicious attempts to enable scripts running on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd",
"target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json b/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json
index 97cd9bfc4a..48d268bc3d 100644
--- a/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json
+++ b/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--979cfd95-cf84-4402-97ec-9156757744d8",
+ "id": "bundle--8faca620-57cd-4601-a458-a5bec141ca88",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:49:59.817Z",
+ "modified": "2025-04-16T23:03:33.100Z",
"description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108.json b/ics-attack/relationship/relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108.json
index 0ab4a72c32..c0d4d93da2 100644
--- a/ics-attack/relationship/relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108.json
+++ b/ics-attack/relationship/relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1664c441-6681-4443-9876-0eaaa1d2bbd4",
+ "id": "bundle--e71783cc-b778-419c-9b4a-e93c550b260f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108",
"created": "2023-09-29T16:42:43.736Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:42:43.736Z",
+ "modified": "2025-04-16T23:03:33.311Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json b/ics-attack/relationship/relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json
index 80b3a3e347..51440013d4 100644
--- a/ics-attack/relationship/relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json
+++ b/ics-attack/relationship/relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--289a809d-a3b0-4798-8aa4-b330ee862daa",
+ "id": "bundle--e2c39a20-6529-4c6f-9cc9-e4459f8d6c52",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-27T15:25:53.307Z",
+ "modified": "2025-04-16T23:03:33.511Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) moved their tools laterally within the ICS network. (Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c.json b/ics-attack/relationship/relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c.json
index 7dc290e1c9..8620ac2704 100644
--- a/ics-attack/relationship/relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c.json
+++ b/ics-attack/relationship/relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--bc2cdf65-015a-4ad8-9a34-e16df48bf219",
+ "id": "bundle--7e5f9e0f-3d4d-4385-9b9e-30265342d324",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c",
"created": "2022-09-26T16:50:56.298Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:50:56.298Z",
+ "modified": "2025-04-16T23:03:33.718Z",
"description": "Monitor for a loss of network communications, which may indicate a device has been shutdown or restarted. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json b/ics-attack/relationship/relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json
index 359865303c..04303b712f 100644
--- a/ics-attack/relationship/relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json
+++ b/ics-attack/relationship/relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ff298ead-0495-43e8-843a-cb59ff75ab3f",
+ "id": "bundle--dc2e3396-f20b-4c03-a248-65c8df54800e",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:32:18.214Z",
+ "modified": "2025-04-16T23:03:33.911Z",
"description": "Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Asset management systems should be consulted to understand known-good firmware versions and configurations.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd",
"target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json b/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json
index 52fc7215b3..a81287d086 100644
--- a/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json
+++ b/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--9b46784e-5f82-4e94-a6f8-315ea609f29c",
+ "id": "bundle--9dc78f9b-9b52-4db8-aaf2-d91132a67850",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--8b17ad46-b0cc-4766-9cae-eba32260d468",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.135Z",
- "relationship_type": "mitigates",
- "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n",
- "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
- "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "National Institute of Standards and Technology April 2013",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:34.111Z",
+ "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
+ "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json b/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json
index 114129b02f..d6869c2bc2 100644
--- a/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json
+++ b/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a0ea6944-c066-43ec-85ef-f874eeb459f2",
+ "id": "bundle--9748bacd-f97d-4447-b542-b86044b4ffd8",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:27:15.545Z",
+ "modified": "2025-04-16T23:03:34.317Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) uses TriStations default UDP port, 1502, to communicate with devices. (Citation: MDudek-ICS)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8b491011-322d-4e0b-8f79-449e1b2ee185.json b/ics-attack/relationship/relationship--8b491011-322d-4e0b-8f79-449e1b2ee185.json
index df54efa12c..1414d21e55 100644
--- a/ics-attack/relationship/relationship--8b491011-322d-4e0b-8f79-449e1b2ee185.json
+++ b/ics-attack/relationship/relationship--8b491011-322d-4e0b-8f79-449e1b2ee185.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fe7d884a-6991-4f4a-a209-0ec557b7198c",
+ "id": "bundle--8d424e60-7512-43f9-a504-c6d78a9bc5cb",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:55:26.030Z",
+ "modified": "2025-04-16T23:03:34.529Z",
"description": "Monitor newly constructed processes that assist in lateral tool transfers, such as file transfer programs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f.json b/ics-attack/relationship/relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f.json
index f06c74ce8b..f8d471a234 100644
--- a/ics-attack/relationship/relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f.json
+++ b/ics-attack/relationship/relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--13e1ced9-b5dd-40b7-a40d-ab0ef8d6d155",
+ "id": "bundle--41039490-7fd3-4567-8001-7e4e06dd82c3",
"spec_version": "2.0",
"objects": [
{
@@ -12,7 +12,7 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
},
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.263Z",
+ "modified": "2025-04-16T23:03:34.747Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) scheduled the uninterruptable power supplies (UPS) to shutdown data and telephone servers via the UPS management interface. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915.json b/ics-attack/relationship/relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915.json
index 0d324bb8d4..cdaa0fa8c8 100644
--- a/ics-attack/relationship/relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915.json
+++ b/ics-attack/relationship/relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b8afac54-0418-4c41-ac8c-d0f3497f23b4",
+ "id": "bundle--38b5063b-5044-44af-857f-dc4533e7e9fb",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:08:06.789Z",
+ "modified": "2025-04-16T23:03:34.951Z",
"description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4.json b/ics-attack/relationship/relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4.json
index af6668c432..c9254be5cf 100644
--- a/ics-attack/relationship/relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4.json
+++ b/ics-attack/relationship/relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--794fa872-dee9-48dc-a9b7-b555471d2ddc",
+ "id": "bundle--38e56341-47b6-416d-89bc-42513f35c487",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4",
"created": "2023-10-02T20:21:16.665Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:21:16.665Z",
+ "modified": "2025-04-16T23:03:35.161Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca.json b/ics-attack/relationship/relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca.json
index 45240f8fdc..47fe9ae1de 100644
--- a/ics-attack/relationship/relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca.json
+++ b/ics-attack/relationship/relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1a4573b2-533c-44df-9522-c4a3a6269c08",
+ "id": "bundle--703130ac-d518-4355-bac8-f22e75a58487",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:59:36.071Z",
+ "modified": "2025-04-16T23:03:35.379Z",
"description": "Monitor for unexpected deletion of files.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8",
"target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json b/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json
index 4d6f9c299e..536df3c095 100644
--- a/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json
+++ b/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--17de540b-b81e-4037-9ec4-96f8b5f34ae4",
+ "id": "bundle--0e7843fa-4454-4f01-9f91-ce8c011ec184",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.101Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:35.566Z",
"description": "Ensure remote commands that enable device shutdown are disabled if they are not necessary. Examples include DNP3's 0x0D function code or unnecessary device management functions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95.json b/ics-attack/relationship/relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95.json
index ef1be207ef..115a50c5bc 100644
--- a/ics-attack/relationship/relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95.json
+++ b/ics-attack/relationship/relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ca4d8994-dd28-4004-ad4f-f4ea21d67276",
+ "id": "bundle--2fe470e8-e61b-4cca-82f2-dfd69bd995e2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95",
"created": "2023-09-28T20:31:46.082Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:31:46.082Z",
+ "modified": "2025-04-16T23:03:35.783Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json b/ics-attack/relationship/relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json
index a67f166492..6319d1c6d0 100644
--- a/ics-attack/relationship/relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json
+++ b/ics-attack/relationship/relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c4079e10-e94a-48e9-b288-585eb1a887b4",
+ "id": "bundle--8f789c2c-e0b1-4f27-aa9a-ef02c7904679",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.264Z",
+ "modified": "2025-04-16T23:03:35.985Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Ukraine15 - EISAC - 201603)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7.json b/ics-attack/relationship/relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7.json
index 6261e44990..ba14b0f0a9 100644
--- a/ics-attack/relationship/relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7.json
+++ b/ics-attack/relationship/relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--55e6a3b5-e6db-4a1a-bcfa-3cfb8d74530d",
+ "id": "bundle--c582002f-e21c-475a-9cea-af7c6b01b92e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7",
"created": "2023-09-28T21:25:20.417Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:25:20.417Z",
+ "modified": "2025-04-16T23:03:36.191Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8da928a0-1c87-471f-aad7-5a1fdd438357.json b/ics-attack/relationship/relationship--8da928a0-1c87-471f-aad7-5a1fdd438357.json
index 718556e94c..459fa30cf4 100644
--- a/ics-attack/relationship/relationship--8da928a0-1c87-471f-aad7-5a1fdd438357.json
+++ b/ics-attack/relationship/relationship--8da928a0-1c87-471f-aad7-5a1fdd438357.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--066916b2-87c9-4aa4-91bc-fb19e4231348",
+ "id": "bundle--1e5593a5-3f1b-4eca-8be3-a83b269dc618",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:44:43.674Z",
+ "modified": "2025-04-16T23:03:36.407Z",
"description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash, which may be recorded in the application log.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json b/ics-attack/relationship/relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json
index c27b515460..f7f8cf5c6f 100644
--- a/ics-attack/relationship/relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json
+++ b/ics-attack/relationship/relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d0499e26-ce98-4aa2-b998-bf6e6330cf1e",
+ "id": "bundle--2c0ad576-7e3e-41f1-bb73-c50cb6cb43a7",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:52:31.059Z",
+ "modified": "2025-04-16T23:03:36.627Z",
"description": "Device restarts and shutdowns may be observable in device application logs. Monitor for unexpected device restarts or shutdowns.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json b/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json
index 96deb4d69a..4430a11575 100644
--- a/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json
+++ b/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--bd0f2e40-67da-4845-86f4-7c69323ad8c6",
+ "id": "bundle--414cddaa-a71c-4345-bc4b-bd6a1c996552",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.139Z",
- "relationship_type": "mitigates",
- "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n",
- "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd",
- "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "M. Rentschler and H. Heine",
@@ -23,9 +15,16 @@
"url": "https://ieeexplore.ieee.org/document/6505877"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:36.845Z",
+ "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd",
+ "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b.json b/ics-attack/relationship/relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b.json
index 7cfdc9e6d7..2c91c13e97 100644
--- a/ics-attack/relationship/relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b.json
+++ b/ics-attack/relationship/relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6e3296cd-3d82-44c9-8aea-968790ffd3f9",
+ "id": "bundle--5922fe2d-a1ab-4303-a4d7-aec2f90a4c0b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b",
"created": "2023-09-29T17:05:44.653Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:05:44.653Z",
+ "modified": "2025-04-16T23:03:37.044Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af.json b/ics-attack/relationship/relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af.json
index 0cbdcb1adc..4c99a6142b 100644
--- a/ics-attack/relationship/relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af.json
+++ b/ics-attack/relationship/relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--407cd944-ab4e-42d8-9878-8e3f9e7faf10",
+ "id": "bundle--7c2cc9da-154f-412d-bbd5-d0074d05b6c3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af",
"created": "2023-03-30T19:04:30.392Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:04:30.392Z",
+ "modified": "2025-04-16T23:03:37.229Z",
"description": "Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
"target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json b/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json
index 213849cb8f..8939851cfb 100644
--- a/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json
+++ b/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e078b16c-eb97-41d2-8b13-8228edae3f55",
+ "id": "bundle--da4c22c0-04b5-454e-8331-a059b4f3950e",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:20:08.002Z",
+ "modified": "2025-04-16T23:03:37.448Z",
"description": "Using OPC, a component of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)",
"relationship_type": "uses",
"source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974",
"target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json b/ics-attack/relationship/relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json
index 47ee2317fe..30d168f25e 100644
--- a/ics-attack/relationship/relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json
+++ b/ics-attack/relationship/relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--358b1888-b9e9-4b07-adba-d909bc437913",
+ "id": "bundle--609e06bf-d426-412b-a1ef-94395e9d556f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8",
"created": "2023-03-30T19:00:57.773Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:00:57.773Z",
+ "modified": "2025-04-16T23:03:37.662Z",
"description": "Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5",
"target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json b/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json
index 53620c6f55..ee8c38ba65 100644
--- a/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json
+++ b/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--87325245-2755-41f2-b7b2-27508878da08",
+ "id": "bundle--28f69b2a-29a3-4a10-86d3-d0c835c39344",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--8f90363e-2825-4178-807f-9268a28760fa",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--8f90363e-2825-4178-807f-9268a28760fa",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.195Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:37.867Z",
"description": "Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0",
"target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8f947e00-2579-4120-a8b0-d466e59fac1a.json b/ics-attack/relationship/relationship--8f947e00-2579-4120-a8b0-d466e59fac1a.json
index 0fb9e08823..d7c4f8965c 100644
--- a/ics-attack/relationship/relationship--8f947e00-2579-4120-a8b0-d466e59fac1a.json
+++ b/ics-attack/relationship/relationship--8f947e00-2579-4120-a8b0-d466e59fac1a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--188297fc-dd3a-4d36-acf8-c01dd33ca721",
+ "id": "bundle--75f9ee5b-b11c-42f3-a351-df727e69a105",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8f947e00-2579-4120-a8b0-d466e59fac1a",
"created": "2023-09-28T19:49:25.824Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:49:25.824Z",
+ "modified": "2025-04-16T23:03:38.068Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json b/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json
index 5c412f8a60..956e86790c 100644
--- a/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json
+++ b/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--a1819edb-5009-45ae-9a35-7fce5d6aa45c",
+ "id": "bundle--77fd0483-5e5a-48ad-93f5-42437220773b",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.120Z",
- "relationship_type": "mitigates",
- "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n",
- "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea",
- "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Dan Goodin March 2017",
@@ -23,9 +15,16 @@
"url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:38.275Z",
+ "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea",
+ "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json b/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json
index 62263652f1..dbc180a31f 100644
--- a/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json
+++ b/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--5ba0ce86-0bc9-4805-b6f5-92b97050edd0",
+ "id": "bundle--41c46a44-9000-4fea-93a9-f72d1e17ab4f",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--8fcecf74-36df-41ab-9476-539c9ac0b339",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.179Z",
- "relationship_type": "mitigates",
- "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:38.494Z",
+ "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json b/ics-attack/relationship/relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json
index d5c21340f3..0d29159876 100644
--- a/ics-attack/relationship/relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json
+++ b/ics-attack/relationship/relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c9e85601-8ce0-432f-aefd-4f5fda7ffadf",
+ "id": "bundle--4ee4c237-15a9-4a2b-bd64-34ac7d281e49",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb",
"created": "2023-09-29T17:04:17.682Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:04:17.682Z",
+ "modified": "2025-04-16T23:03:38.724Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--90647f03-38a4-4364-a3af-53640a81360e.json b/ics-attack/relationship/relationship--90647f03-38a4-4364-a3af-53640a81360e.json
index 15026b9964..6af3cfa81d 100644
--- a/ics-attack/relationship/relationship--90647f03-38a4-4364-a3af-53640a81360e.json
+++ b/ics-attack/relationship/relationship--90647f03-38a4-4364-a3af-53640a81360e.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--c9d27c9c-1260-4b9b-8b22-bbaf42706e0a",
+ "id": "bundle--c58d440a-c23b-49cd-a198-113048df9500",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--90647f03-38a4-4364-a3af-53640a81360e",
"created": "2023-03-31T18:11:19.943Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -23,16 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-31T18:11:19.943Z",
+ "modified": "2025-04-16T22:31:40.365Z",
"description": "(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Joe Slowik August 2019)",
"relationship_type": "attributed-to",
"source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234",
"target_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6.json b/ics-attack/relationship/relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6.json
index 0fdb3b5d37..0450ad28eb 100644
--- a/ics-attack/relationship/relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6.json
+++ b/ics-attack/relationship/relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c056a02e-814b-4eb7-b351-6fdf1bc4fd9f",
+ "id": "bundle--187bdac2-8f17-447e-b2db-e54be0be87ed",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6",
"created": "2023-09-28T20:04:44.041Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:04:44.041Z",
+ "modified": "2025-04-16T23:03:39.033Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json b/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json
index e0ea8c53c7..40b5cddac9 100644
--- a/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json
+++ b/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fc74a95e-f82a-4a83-9020-72fe97379c56",
+ "id": "bundle--b58d2122-d5af-4a91-bd9b-dd165b68b8dc",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:22:33.586Z",
+ "modified": "2025-04-16T23:03:39.267Z",
"description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)",
"relationship_type": "uses",
"source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974",
"target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--910bada1-c923-4009-a9ea-da257072f168.json b/ics-attack/relationship/relationship--910bada1-c923-4009-a9ea-da257072f168.json
index a5dac62695..6c4bb21336 100644
--- a/ics-attack/relationship/relationship--910bada1-c923-4009-a9ea-da257072f168.json
+++ b/ics-attack/relationship/relationship--910bada1-c923-4009-a9ea-da257072f168.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8914f5c4-128a-402c-b0c0-17a79b4e4ca6",
+ "id": "bundle--c4f1dbe3-fd47-4bed-9bbd-6e4c15f4bc00",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--910bada1-c923-4009-a9ea-da257072f168",
"created": "2023-09-29T16:29:27.902Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:29:27.902Z",
+ "modified": "2025-04-16T23:03:39.456Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json b/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json
index a8a4ae7b62..5a0bf484b1 100644
--- a/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json
+++ b/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--6999bf6b-85f7-4fa1-9d38-b5bff659104c",
+ "id": "bundle--54df7b22-5072-41f2-b62f-cf9f59aa882b",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--91f29477-2ff6-4dbf-bf68-c8825a938851",
+ "created": "2021-04-13T12:08:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--91f29477-2ff6-4dbf-bf68-c8825a938851",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2021-04-13T12:08:26.506Z",
- "modified": "2022-05-06T17:47:24.119Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:39.638Z",
"description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e",
"target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json b/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json
index 1dfa6eff39..a276a4d9ea 100644
--- a/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json
+++ b/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--76799349-8bdb-4ac5-abfd-f2682733b427",
+ "id": "bundle--c82e86ea-47e4-415c-b68a-861f2b2612b9",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.130Z",
- "relationship_type": "mitigates",
- "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n",
- "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
- "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Keith Stouffer May 2015",
@@ -28,9 +20,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:39.862Z",
+ "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
+ "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--92ea1c2a-3835-43de-bb56-24e937a6f322.json b/ics-attack/relationship/relationship--92ea1c2a-3835-43de-bb56-24e937a6f322.json
index df319b3211..20427e0a03 100644
--- a/ics-attack/relationship/relationship--92ea1c2a-3835-43de-bb56-24e937a6f322.json
+++ b/ics-attack/relationship/relationship--92ea1c2a-3835-43de-bb56-24e937a6f322.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--58484d0a-688f-47f8-ae28-97b4f43e647f",
+ "id": "bundle--e3a71b6d-ef60-4e13-bd85-a963544fa97a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:31:12.226Z",
+ "modified": "2025-04-16T23:03:40.082Z",
"description": "Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (e.g., JScript.dll, vbscript.dll).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e.json b/ics-attack/relationship/relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e.json
index febff8d29f..45bf8db1d0 100644
--- a/ics-attack/relationship/relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e.json
+++ b/ics-attack/relationship/relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b6cfc139-1d22-4821-82f3-5aa2ae2fbd15",
+ "id": "bundle--fbb7bbf4-612b-4000-8570-853fa2b9685b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e",
"created": "2023-09-29T17:38:40.536Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:38:40.536Z",
+ "modified": "2025-04-16T23:03:40.317Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--93c336f2-7e7c-4c79-af16-faae03e66121.json b/ics-attack/relationship/relationship--93c336f2-7e7c-4c79-af16-faae03e66121.json
index 6d1403eb25..cf5eafa7d3 100644
--- a/ics-attack/relationship/relationship--93c336f2-7e7c-4c79-af16-faae03e66121.json
+++ b/ics-attack/relationship/relationship--93c336f2-7e7c-4c79-af16-faae03e66121.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--248c0f14-48b0-4918-87bf-ddcb811fedd7",
+ "id": "bundle--75311efa-2e28-41f3-98b2-ef1d0711b818",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--93c336f2-7e7c-4c79-af16-faae03e66121",
"created": "2023-09-29T18:44:09.293Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:44:09.293Z",
+ "modified": "2025-04-16T23:03:40.516Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json b/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json
index 0db70ecfab..efd874dc38 100644
--- a/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json
+++ b/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--422db6ff-42af-4170-b4ec-3f835b2ed8fb",
+ "id": "bundle--823f40bc-3b8d-4bf9-8373-a10cc0f6351c",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:27:42.104Z",
+ "modified": "2025-04-16T23:03:40.724Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. (Citation: DHS CISA February 2019)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--943a9a5c-7826-451d-ac73-34353ea40595.json b/ics-attack/relationship/relationship--943a9a5c-7826-451d-ac73-34353ea40595.json
index 1dababed75..7d381882a6 100644
--- a/ics-attack/relationship/relationship--943a9a5c-7826-451d-ac73-34353ea40595.json
+++ b/ics-attack/relationship/relationship--943a9a5c-7826-451d-ac73-34353ea40595.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6fe41327-5577-4976-bab7-4abb30b9c2d0",
+ "id": "bundle--fc5b183a-9a3c-4c74-b508-50dc878341d4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--943a9a5c-7826-451d-ac73-34353ea40595",
"created": "2023-09-29T16:33:36.496Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:33:36.496Z",
+ "modified": "2025-04-16T23:03:40.934Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--94654460-b115-4056-beb1-e982ed33437b.json b/ics-attack/relationship/relationship--94654460-b115-4056-beb1-e982ed33437b.json
index fac4edaa91..15ef6a03bf 100644
--- a/ics-attack/relationship/relationship--94654460-b115-4056-beb1-e982ed33437b.json
+++ b/ics-attack/relationship/relationship--94654460-b115-4056-beb1-e982ed33437b.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--f29773d7-ef77-4400-b314-c0235cc69d21",
+ "id": "bundle--7b1c5fcc-a1c8-4a61-868a-2fda28111443",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--94654460-b115-4056-beb1-e982ed33437b",
"created": "2023-03-30T18:59:46.674Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -23,16 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T18:59:46.674Z",
+ "modified": "2025-04-16T23:03:41.155Z",
"description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from the local system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)",
"relationship_type": "mitigates",
"source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
"target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--949b498c-ca3f-4704-90bd-a22a4d34067f.json b/ics-attack/relationship/relationship--949b498c-ca3f-4704-90bd-a22a4d34067f.json
index f0e5996e62..9485087556 100644
--- a/ics-attack/relationship/relationship--949b498c-ca3f-4704-90bd-a22a4d34067f.json
+++ b/ics-attack/relationship/relationship--949b498c-ca3f-4704-90bd-a22a4d34067f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0d65698e-0797-4858-a34c-70ae3ae00361",
+ "id": "bundle--c8450d3b-1bf9-4e0d-8b52-2f10e2a75d68",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:37:55.042Z",
+ "modified": "2025-04-16T23:03:41.391Z",
"description": "Monitor for loss of operational process data which could indicate alarms are being suppressed. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
"target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json b/ics-attack/relationship/relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json
index 80bce1a246..9a758e96ec 100644
--- a/ics-attack/relationship/relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json
+++ b/ics-attack/relationship/relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--35064660-9198-4997-aebe-a5e280b036c5",
+ "id": "bundle--bfc0c6ce-8ab4-4404-8c24-045ecf13602b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e",
"created": "2022-09-27T15:48:55.986Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T15:48:55.986Z",
+ "modified": "2025-04-16T23:03:41.596Z",
"description": "Monitor device alarms that indicate controller task parameters have changed, although not all devices produce such alarms.\n \n[Program Download](https://attack.mitre.org/techniques/T0843) may be used to enable this technique. Monitor for program downloads which may be noticeable via operational alarms. Asset management systems should be consulted to understand expected program versions.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json b/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json
index a0a25d9600..d6ff7eecce 100644
--- a/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json
+++ b/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--de4f6c5a-fcfb-4de1-a9ee-dd89fc29a8ce",
+ "id": "bundle--8d212ecf-10d3-4669-8042-4f03d0481f60",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:02:12.812Z",
+ "modified": "2025-04-16T23:03:41.817Z",
"description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)",
"relationship_type": "uses",
"source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe",
"target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6.json b/ics-attack/relationship/relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6.json
index 643b7d028a..5ce7219c9b 100644
--- a/ics-attack/relationship/relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6.json
+++ b/ics-attack/relationship/relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5172351d-97a0-488a-8646-37f5a1c1fc41",
+ "id": "bundle--6d0cd000-426e-4818-a4e4-605fc6d29537",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6",
"created": "2024-04-09T20:47:47.280Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:47:47.280Z",
+ "modified": "2025-04-16T23:03:42.019Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d.json b/ics-attack/relationship/relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d.json
index 525738c772..82e1d26047 100644
--- a/ics-attack/relationship/relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d.json
+++ b/ics-attack/relationship/relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c34d72b3-7c26-4b5a-a05a-a9313913c6b6",
+ "id": "bundle--db260d70-eea8-469a-98b1-0c5f61ce3209",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d",
"created": "2023-09-28T20:17:07.288Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:17:07.288Z",
+ "modified": "2025-04-16T23:03:42.230Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json b/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json
index 97515d894d..43c55d76a6 100644
--- a/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json
+++ b/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f4272728-1dcf-4010-9bff-f431887239eb",
+ "id": "bundle--9b5001c3-9d9c-4b00-8a2c-ca892f762378",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:52:41.680Z",
+ "modified": "2025-04-16T23:03:42.456Z",
"description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json b/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json
index 94d8ef1d6b..c18fe907fd 100644
--- a/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json
+++ b/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--a94fde3e-ce79-4a75-a545-32e375cee113",
+ "id": "bundle--adecc42b-afa2-4c85-892d-84c0bae3fe2a",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.112Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:42.723Z",
"description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037",
"target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8.json b/ics-attack/relationship/relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8.json
index f7386e28f1..d32f00c368 100644
--- a/ics-attack/relationship/relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8.json
+++ b/ics-attack/relationship/relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f3e2b34d-4947-4260-85f7-2a1b17d178fb",
+ "id": "bundle--e898d2f6-7db2-45c6-89fc-112c51f006ee",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8",
"created": "2023-09-28T20:25:30.229Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:25:30.229Z",
+ "modified": "2025-04-16T23:03:42.947Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json b/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json
index 7183dd3d34..e93661295a 100644
--- a/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json
+++ b/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3fdf6285-5896-4127-aa61-74a6f1085133",
+ "id": "bundle--26d5cab4-b2cd-48f2-9bd8-a85febab1e7c",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:47:35.796Z",
+ "modified": "2025-04-16T23:03:43.154Z",
"description": "Utilize code signatures to verify the integrity and authenticity of programs installed on safety or control assets, including the associated controller tasking.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a",
"target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--97538255-b049-4d15-91c4-6b227cbea476.json b/ics-attack/relationship/relationship--97538255-b049-4d15-91c4-6b227cbea476.json
index 581ff79e40..b4af642bdd 100644
--- a/ics-attack/relationship/relationship--97538255-b049-4d15-91c4-6b227cbea476.json
+++ b/ics-attack/relationship/relationship--97538255-b049-4d15-91c4-6b227cbea476.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--63fab5e2-85e0-4fef-876f-0f1316c671c5",
+ "id": "bundle--52d9a564-cdef-42e2-b002-cbd6ddad00af",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:16:09.542Z",
+ "modified": "2025-04-16T23:03:43.371Z",
"description": "Data about the industrial process may indicate it is operating outside of expected bounds and could help indicate that that an alarm setting has changed. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
"target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--97641754-f215-4b8f-b0cd-0d3142053c76.json b/ics-attack/relationship/relationship--97641754-f215-4b8f-b0cd-0d3142053c76.json
index 0c6ff23b62..16684f34dd 100644
--- a/ics-attack/relationship/relationship--97641754-f215-4b8f-b0cd-0d3142053c76.json
+++ b/ics-attack/relationship/relationship--97641754-f215-4b8f-b0cd-0d3142053c76.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2c45d908-b05e-48f8-9973-d9d3fe04dd79",
+ "id": "bundle--3df4c71d-4141-4c7d-a009-8c7c54ca0317",
"spec_version": "2.0",
"objects": [
{
@@ -22,8 +22,8 @@
},
{
"source_name": "Intel HackingTeam UEFI Rootkit",
- "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.",
- "url": "http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"
+ "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"
},
{
"source_name": "Github CHIPSEC",
@@ -34,15 +34,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:48:56.024Z",
+ "modified": "2025-04-16T23:03:43.569Z",
"description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--97756c8a-b702-472b-8d67-15464a73093e.json b/ics-attack/relationship/relationship--97756c8a-b702-472b-8d67-15464a73093e.json
index 5c89ae37c2..652608641b 100644
--- a/ics-attack/relationship/relationship--97756c8a-b702-472b-8d67-15464a73093e.json
+++ b/ics-attack/relationship/relationship--97756c8a-b702-472b-8d67-15464a73093e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d666eb8b-45e6-4bb0-b07f-b4c7aaa81af2",
+ "id": "bundle--0ee11d8b-19e1-4942-aa84-61f7c48a05db",
"spec_version": "2.0",
"objects": [
{
@@ -12,7 +12,7 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
},
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.265Z",
+ "modified": "2025-04-16T23:03:43.764Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [KillDisk](https://attack.mitre.org/software/S0607) rendered devices that were necessary for remote recovery unusable, including at least one RTU. Additionally, [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the firmware for serial-to-ethernet converters, denying operators control of the downstream devices. (Citation: Booz Allen Hamilton)(Citation: Ukraine15 - EISAC - 201603)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json b/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json
index 65c62c225a..164571df80 100644
--- a/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json
+++ b/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--536705b5-f184-4772-b1cc-582be7047f30",
+ "id": "bundle--609b9761-ea7e-478c-b2ec-c8e01d17f4ea",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.115Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:43.954Z",
"description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e",
"target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab.json b/ics-attack/relationship/relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab.json
index d7f7f050af..617f4fb373 100644
--- a/ics-attack/relationship/relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab.json
+++ b/ics-attack/relationship/relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--24f2f301-497b-453f-bd45-2ed548b28b89",
+ "id": "bundle--80461057-f972-410e-b691-e2f349651b61",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:59:40.539Z",
+ "modified": "2025-04-16T23:03:44.154Z",
"description": "Monitor device application logs parameter changes, although not all devices will produce such logs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1.json b/ics-attack/relationship/relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1.json
index c1d43e15e4..d493b576d0 100644
--- a/ics-attack/relationship/relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1.json
+++ b/ics-attack/relationship/relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c02902f5-634b-4a8a-b396-bea1cfb122d6",
+ "id": "bundle--bf458431-e8ad-4304-9e3b-b659cc01da0a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1",
"created": "2023-09-29T16:40:54.250Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:40:54.250Z",
+ "modified": "2025-04-16T23:03:44.374Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e.json b/ics-attack/relationship/relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e.json
index 36775b1b79..cff67f9a40 100644
--- a/ics-attack/relationship/relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e.json
+++ b/ics-attack/relationship/relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5b238152-3f70-4e2b-8896-e643198a4853",
+ "id": "bundle--f3af608e-67e7-46a4-8a9e-789140123a52",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e",
"created": "2023-09-29T16:41:32.631Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:41:32.631Z",
+ "modified": "2025-04-16T23:03:44.581Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json b/ics-attack/relationship/relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json
index 50b4d48146..70001f7751 100644
--- a/ics-attack/relationship/relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json
+++ b/ics-attack/relationship/relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d13e8eac-6ace-42c8-a9f8-1aa636d31b87",
+ "id": "bundle--ad7a47fa-276d-4941-85d5-185c9017b09c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319",
"created": "2023-09-29T18:47:52.800Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:47:52.800Z",
+ "modified": "2025-04-16T23:03:44.807Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--982d0b4f-274a-4738-9262-57fc80d468f9.json b/ics-attack/relationship/relationship--982d0b4f-274a-4738-9262-57fc80d468f9.json
index af42f12158..7d40d37987 100644
--- a/ics-attack/relationship/relationship--982d0b4f-274a-4738-9262-57fc80d468f9.json
+++ b/ics-attack/relationship/relationship--982d0b4f-274a-4738-9262-57fc80d468f9.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7f578775-1710-44f0-9bcc-4d545b840662",
+ "id": "bundle--465c5e2f-9fb2-4901-be09-3ab21b81763a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--982d0b4f-274a-4738-9262-57fc80d468f9",
"created": "2024-03-26T15:41:51.806Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-26T15:41:51.806Z",
+ "modified": "2025-04-16T23:03:45.001Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json b/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json
index c9eac7ac98..632cf00788 100644
--- a/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json
+++ b/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--414da13c-fc0d-4204-9470-bdded537394b",
+ "id": "bundle--42c94f30-1ed3-4f5f-8388-0d9118e80599",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.172Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:45.188Z",
"description": "Devices should authenticate all messages between master and outstation assets.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--984d517f-56a1-4eb4-95e5-994eb9c6c3b5.json b/ics-attack/relationship/relationship--984d517f-56a1-4eb4-95e5-994eb9c6c3b5.json
index a21f36acc4..714f145d71 100644
--- a/ics-attack/relationship/relationship--984d517f-56a1-4eb4-95e5-994eb9c6c3b5.json
+++ b/ics-attack/relationship/relationship--984d517f-56a1-4eb4-95e5-994eb9c6c3b5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b3292685-aa8d-4e18-8248-2c38bc298f90",
+ "id": "bundle--f9d7d55a-bad8-4fa2-a266-44f308e387bb",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-17T15:20:25.327Z",
+ "modified": "2025-04-16T23:03:45.412Z",
"description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) executed a MicroSCADA application binary `scilc.exe` to send a predefined list of SCADA instructions specified in a file defined by the adversary, `s1.txt`. The executed command `C:\\sc\\prog\\exec\\scilc.exe -do pack\\scil\\s1.txt` leverages the SCADA software to send unauthorized command messages to remote substations.(Citation: Mandiant-Sandworm-Ukraine-2022)",
"relationship_type": "uses",
"source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d",
"target_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--98567b03-7421-4761-8caa-cbea82d89fe3.json b/ics-attack/relationship/relationship--98567b03-7421-4761-8caa-cbea82d89fe3.json
index 254be35b79..adbb226bb1 100644
--- a/ics-attack/relationship/relationship--98567b03-7421-4761-8caa-cbea82d89fe3.json
+++ b/ics-attack/relationship/relationship--98567b03-7421-4761-8caa-cbea82d89fe3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--55396c98-13d2-4b55-93cc-032ea7056aab",
+ "id": "bundle--dd38c940-f1e1-4f2b-a599-feae8c5e94f2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--98567b03-7421-4761-8caa-cbea82d89fe3",
"created": "2024-03-26T15:40:06.457Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-26T15:40:06.457Z",
+ "modified": "2025-04-16T23:03:45.606Z",
"description": "Configure operating systems to disable the autorun of any specific file types or drives.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce",
"target_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--98b229f8-6020-4fbb-b104-54fd478c14d9.json b/ics-attack/relationship/relationship--98b229f8-6020-4fbb-b104-54fd478c14d9.json
index 50515a37b3..7873e4e9b7 100644
--- a/ics-attack/relationship/relationship--98b229f8-6020-4fbb-b104-54fd478c14d9.json
+++ b/ics-attack/relationship/relationship--98b229f8-6020-4fbb-b104-54fd478c14d9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--33b8d366-16c5-4b9e-a922-8643ec5fd534",
+ "id": "bundle--5698949a-0ae0-466e-b69f-c9f1d439c5d2",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:29:49.652Z",
+ "modified": "2025-04-16T23:03:45.836Z",
"description": "Monitor logon sessions for default credential use.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5",
"target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json b/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json
index 16753586db..fb9454543b 100644
--- a/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json
+++ b/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--0e61e8ee-ade1-44e2-ab1a-b807c73188d7",
+ "id": "bundle--2b351f7c-99d9-49af-ae54-8eb592ccba32",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.127Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:46.037Z",
"description": "Set and enforce secure password policies for accounts.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65",
"target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json b/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json
index 7b1d4d9b53..fc17cdc6ba 100644
--- a/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json
+++ b/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6c43396f-b1ae-45be-bea7-01d865e65915",
+ "id": "bundle--a8f06968-0b5d-4cc8-985c-a2ab5e323e57",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:53:25.280Z",
+ "modified": "2025-04-16T23:03:46.280Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of control. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json b/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json
index 4699e48b5a..e0dbb5e140 100644
--- a/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json
+++ b/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f171b8d2-c1a7-4375-9661-cfb8b1905b84",
+ "id": "bundle--2fb74b69-561b-426f-ad01-e833d3e3d06a",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:40:11.392Z",
+ "modified": "2025-04-16T23:03:46.490Z",
"description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to temporarily shutdown. (Citation: Catalin Cimpanu April 2016)",
"relationship_type": "uses",
"source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55",
"target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134.json b/ics-attack/relationship/relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134.json
index 0eb01716e2..ed3de479e0 100644
--- a/ics-attack/relationship/relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134.json
+++ b/ics-attack/relationship/relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8c71a1bd-2286-4e63-b75a-a5af9d06ba57",
+ "id": "bundle--347e78a5-ef1b-4399-9aca-3d629445061b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134",
"created": "2023-09-29T18:03:23.576Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:03:23.576Z",
+ "modified": "2025-04-16T23:03:46.711Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--99c0c90e-8526-41d6-80ca-b037598c6326.json b/ics-attack/relationship/relationship--99c0c90e-8526-41d6-80ca-b037598c6326.json
index 6c6a9839c7..cedc4000eb 100644
--- a/ics-attack/relationship/relationship--99c0c90e-8526-41d6-80ca-b037598c6326.json
+++ b/ics-attack/relationship/relationship--99c0c90e-8526-41d6-80ca-b037598c6326.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cabd9dcc-a5f0-4516-a231-1b4f78f307bf",
+ "id": "bundle--5660a1ef-e377-4332-9263-54921640030a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:36:13.269Z",
+ "modified": "2025-04-16T23:03:46.921Z",
"description": "Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json b/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json
index cd59b00f5f..8250c6920c 100644
--- a/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json
+++ b/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--a561c492-9f75-430d-ae9f-2cf264189c77",
+ "id": "bundle--fcf82ced-9ccd-4c40-9510-d77e4ee97b7f",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--99ec0a8e-4a4f-427c-89db-163e4b206021",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.094Z",
- "relationship_type": "mitigates",
- "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n",
- "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd",
- "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "M. Rentschler and H. Heine",
@@ -23,9 +15,16 @@
"url": "https://ieeexplore.ieee.org/document/6505877"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:47.107Z",
+ "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd",
+ "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f.json b/ics-attack/relationship/relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f.json
index af8f18007c..ce516cf54f 100644
--- a/ics-attack/relationship/relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f.json
+++ b/ics-attack/relationship/relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--509f4af8-2151-407b-9091-2af9571de941",
+ "id": "bundle--57f2a13a-08d5-425c-88d8-127dcfa58f49",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f",
"created": "2023-09-28T19:56:54.642Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:56:54.642Z",
+ "modified": "2025-04-16T23:03:47.341Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--99fa6d92-0c41-44ed-bd30-dd0413785883.json b/ics-attack/relationship/relationship--99fa6d92-0c41-44ed-bd30-dd0413785883.json
index b3532a22bd..a1bbb9a8b2 100644
--- a/ics-attack/relationship/relationship--99fa6d92-0c41-44ed-bd30-dd0413785883.json
+++ b/ics-attack/relationship/relationship--99fa6d92-0c41-44ed-bd30-dd0413785883.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d2a32efb-b904-493c-a07a-a1cf1677ef9e",
+ "id": "bundle--b02d3d25-51f6-4241-887d-00289cdb4de7",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--99fa6d92-0c41-44ed-bd30-dd0413785883",
"created": "2023-09-29T18:43:23.321Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:43:23.321Z",
+ "modified": "2025-04-16T23:03:47.537Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf.json b/ics-attack/relationship/relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf.json
index ace718e454..ed53565654 100644
--- a/ics-attack/relationship/relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf.json
+++ b/ics-attack/relationship/relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f1646eb4-aabe-4fde-9eea-911080eb3056",
+ "id": "bundle--9a008e3f-17b5-49a4-b540-551b43d0acae",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf",
"created": "2023-09-28T20:04:32.626Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:04:32.626Z",
+ "modified": "2025-04-16T23:03:47.761Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json b/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json
index 08682a305a..0ab7a422b5 100644
--- a/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json
+++ b/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--e873ea80-6131-45f6-8242-64c9a7e784d9",
+ "id": "bundle--a9ebb8f1-a815-420f-affa-97c0505be3ef",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.075Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:47.976Z",
"description": "Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9a55e351-d3b7-460a-9a9d-6714c00db5f0.json b/ics-attack/relationship/relationship--9a55e351-d3b7-460a-9a9d-6714c00db5f0.json
index 16273091ab..707277d3a6 100644
--- a/ics-attack/relationship/relationship--9a55e351-d3b7-460a-9a9d-6714c00db5f0.json
+++ b/ics-attack/relationship/relationship--9a55e351-d3b7-460a-9a9d-6714c00db5f0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9c6f6e86-2d3e-49d5-9565-0df4446b5b83",
+ "id": "bundle--61edf67b-6a01-4cb1-958a-32cc603ec91a",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-19T19:42:09.274Z",
+ "modified": "2025-04-16T23:03:48.222Z",
"description": "(Citation: CISA AA23-335A IRGC-Affiliated December 2023)",
"relationship_type": "attributed-to",
"source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de",
"target_ref": "intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json b/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json
index 7e92f8b989..d57dde72f3 100644
--- a/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json
+++ b/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--255ebf9c-c5bf-45e0-8f2f-ca6ca4dd6c6e",
+ "id": "bundle--5c53f9d3-de56-4432-9081-049bc1f028ba",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.203Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:48.444Z",
"description": "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9ad74496-e164-4068-a0f5-379f507ba864.json b/ics-attack/relationship/relationship--9ad74496-e164-4068-a0f5-379f507ba864.json
index 54de43eba5..2eec105a0d 100644
--- a/ics-attack/relationship/relationship--9ad74496-e164-4068-a0f5-379f507ba864.json
+++ b/ics-attack/relationship/relationship--9ad74496-e164-4068-a0f5-379f507ba864.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5a9aa27e-d601-4c52-95d3-388625a4e96a",
+ "id": "bundle--c17a9f83-7c92-4fbd-a522-a6e8cb5be9c7",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:47:23.576Z",
+ "modified": "2025-04-16T23:03:48.658Z",
"description": "Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8.json b/ics-attack/relationship/relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8.json
index 37e9cbde91..97806dbce2 100644
--- a/ics-attack/relationship/relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8.json
+++ b/ics-attack/relationship/relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--74ef71c1-66c8-4b7e-886e-e0bf959409ae",
+ "id": "bundle--aede156e-49a3-49ef-a9a8-fa5e349a4aa7",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8",
"created": "2023-09-29T18:58:05.958Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:58:05.958Z",
+ "modified": "2025-04-16T23:03:48.878Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json b/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json
index 7afda3c68a..85f397c96a 100644
--- a/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json
+++ b/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--a93e4990-c078-4c86-bd8f-2ca88ae6f770",
+ "id": "bundle--a92dca7c-5cae-48a0-8113-a87053693b9f",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.232Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:49.070Z",
"description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining access to valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json b/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json
index 32a2711e61..a3a0e7d828 100644
--- a/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json
+++ b/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--00e420c9-be79-4c02-a6a7-7518b169b5d0",
+ "id": "bundle--04d7d69c-943a-45ef-bd66-98a5f36f03d4",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-11-23T21:06:25.384Z",
+ "modified": "2025-04-16T23:03:49.268Z",
"description": "(Citation: Dragos Xenotime 2018)",
"relationship_type": "uses",
"source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4",
"target_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.0.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875.json b/ics-attack/relationship/relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875.json
index 434a534615..208a21543d 100644
--- a/ics-attack/relationship/relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875.json
+++ b/ics-attack/relationship/relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--90a187cc-f8a0-470e-8ee5-84465b358562",
+ "id": "bundle--9078dd3e-18c3-4295-8caa-b1066b7489e9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875",
"created": "2023-09-28T19:37:35.485Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:37:35.485Z",
+ "modified": "2025-04-16T23:03:49.479Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1.json b/ics-attack/relationship/relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1.json
index 822ec0712e..6890534b98 100644
--- a/ics-attack/relationship/relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1.json
+++ b/ics-attack/relationship/relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e6c71858-bbca-4afd-9433-319c14277f30",
+ "id": "bundle--0a0d2930-e67d-4213-b991-8547cd4ffd27",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1",
"created": "2023-09-28T20:11:52.625Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:11:52.625Z",
+ "modified": "2025-04-16T23:03:49.669Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5.json b/ics-attack/relationship/relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5.json
index 017332ec33..6150d26c4a 100644
--- a/ics-attack/relationship/relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5.json
+++ b/ics-attack/relationship/relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d02f4ac7-42f3-4f64-8aa8-8681a321cc57",
+ "id": "bundle--9cd5dd28-51bf-4b32-843d-89cabcb05f31",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5",
"created": "2023-09-28T19:59:44.009Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:59:44.009Z",
+ "modified": "2025-04-16T23:03:49.859Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json b/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json
index a0685829f6..7f83a15892 100644
--- a/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json
+++ b/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--e6c978b7-26b6-447a-bed8-3801d96c06dd",
+ "id": "bundle--679d93c6-4fdb-49b9-a4b5-39e6e060525d",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.203Z",
- "relationship_type": "mitigates",
- "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:50.052Z",
+ "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9cf83701-a347-47b4-a67b-280df95b275d.json b/ics-attack/relationship/relationship--9cf83701-a347-47b4-a67b-280df95b275d.json
index 46d3803a5c..bc808b9ccb 100644
--- a/ics-attack/relationship/relationship--9cf83701-a347-47b4-a67b-280df95b275d.json
+++ b/ics-attack/relationship/relationship--9cf83701-a347-47b4-a67b-280df95b275d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--778b3789-74c9-4da5-a069-e7b33297c9f7",
+ "id": "bundle--b7983571-0fbb-41c0-b847-69857e2c5ef8",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:41:05.460Z",
+ "modified": "2025-04-16T23:03:50.269Z",
"description": "Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f.json b/ics-attack/relationship/relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f.json
index e07f0c82b7..3cab35b209 100644
--- a/ics-attack/relationship/relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f.json
+++ b/ics-attack/relationship/relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--953c2582-3aa1-455a-96b7-cb51a3478f8f",
+ "id": "bundle--a2a43886-b8fe-40ba-862a-7c3af0d02689",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:12:41.739Z",
+ "modified": "2025-04-16T23:03:50.487Z",
"description": "In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa",
"target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d.json b/ics-attack/relationship/relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d.json
index 07cefdbef2..d33de0b057 100644
--- a/ics-attack/relationship/relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d.json
+++ b/ics-attack/relationship/relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c515980a-4f3e-4ffb-88de-07dfbb1caf5a",
+ "id": "bundle--658932b4-e78a-4c3a-a167-daa1883d2b1b",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:34:07.441Z",
+ "modified": "2025-04-16T23:03:50.708Z",
"description": "Alterations to the service binary path or the service startup type changed to disabled may be suspicious.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json b/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json
index 25ff17c18f..90349060c8 100644
--- a/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json
+++ b/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b1ecc96a-be41-4a84-8242-1423118d31a7",
+ "id": "bundle--ca640da6-7487-47b0-b833-75b9c69a4525",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:53:56.368Z",
+ "modified": "2025-04-16T23:03:50.900Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9d75333b-2542-4899-923f-55dc1e077a51.json b/ics-attack/relationship/relationship--9d75333b-2542-4899-923f-55dc1e077a51.json
index 103022273d..7f4af7e45c 100644
--- a/ics-attack/relationship/relationship--9d75333b-2542-4899-923f-55dc1e077a51.json
+++ b/ics-attack/relationship/relationship--9d75333b-2542-4899-923f-55dc1e077a51.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--be38966a-1bb2-4117-a064-606b068ada08",
+ "id": "bundle--e811db72-e986-4041-a8fa-c4d9725cac26",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:45:52.592Z",
+ "modified": "2025-04-16T23:03:51.099Z",
"description": "Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json b/ics-attack/relationship/relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json
index c5ca904f8c..4593737728 100644
--- a/ics-attack/relationship/relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json
+++ b/ics-attack/relationship/relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b8e29891-045f-4655-8ce1-3fe96d01d382",
+ "id": "bundle--b0b322a2-44ca-4a48-aab8-c66fcfe5ff79",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:49:44.728Z",
+ "modified": "2025-04-16T23:03:51.313Z",
"description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
"target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json b/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json
index 2fadd5b65e..fd8ef61b93 100644
--- a/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json
+++ b/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--40c422ab-6426-4929-ab61-94babd1081c5",
+ "id": "bundle--2a5986c5-c1ec-4350-aa0f-fcbd02f61047",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-29T20:46:03.389Z",
+ "modified": "2025-04-16T23:03:51.519Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.(Citation: MDudek-ICS)\n\n[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.(Citation: MDudek-ICS)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9e0810a5-ad02-487f-b0a8-bf07decca493.json b/ics-attack/relationship/relationship--9e0810a5-ad02-487f-b0a8-bf07decca493.json
index f7c0dcbe9e..01a8f56e05 100644
--- a/ics-attack/relationship/relationship--9e0810a5-ad02-487f-b0a8-bf07decca493.json
+++ b/ics-attack/relationship/relationship--9e0810a5-ad02-487f-b0a8-bf07decca493.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8c74a362-4930-4458-af1a-288edead4a79",
+ "id": "bundle--12ee564c-6427-4cac-ad34-13108e247226",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:07:52.455Z",
+ "modified": "2025-04-16T23:03:51.731Z",
"description": "Monitor for a loss of network communications, which may indicate this technique is being used.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa.json b/ics-attack/relationship/relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa.json
index 418b913264..4426129641 100644
--- a/ics-attack/relationship/relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa.json
+++ b/ics-attack/relationship/relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3354ff92-0dee-46d3-ac4a-119730b8129a",
+ "id": "bundle--19791106-31b5-485b-8837-e4f205b04f1f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:00:56.539Z",
+ "modified": "2025-04-16T23:03:51.928Z",
"description": "Monitor for a loss of network communications, which may indicate this technique is being used.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500.json b/ics-attack/relationship/relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500.json
index 0a1915ff14..9644326211 100644
--- a/ics-attack/relationship/relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500.json
+++ b/ics-attack/relationship/relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--037c3ef5-4e85-4c14-ad38-a3429b221b08",
+ "id": "bundle--6383db92-ac12-4776-85d1-4ea47c1275cd",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500",
"created": "2023-09-29T18:07:28.902Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:07:28.902Z",
+ "modified": "2025-04-16T23:03:52.125Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json b/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json
index 4c534fd5b1..1d3249022e 100644
--- a/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json
+++ b/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e9a92af5-042f-4367-a3b4-38fd6ce2c837",
+ "id": "bundle--baf219b0-c955-47e2-961d-3a393071914b",
"spec_version": "2.0",
"objects": [
{
@@ -39,15 +39,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-08-20T19:04:50.748Z",
+ "modified": "2025-04-16T22:35:45.136Z",
"description": "(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2017)(Citation: ESET Industroyer)(Citation: Secureworks IRON VIKING)(Citation: mandiant_apt44_unearthing_sandworm)",
"relationship_type": "uses",
"source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
"target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5.json b/ics-attack/relationship/relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5.json
index 0e6dbc3e2f..2661867c37 100644
--- a/ics-attack/relationship/relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5.json
+++ b/ics-attack/relationship/relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ddb98ead-500e-447e-8064-ed5f6023362b",
+ "id": "bundle--535c077b-da93-4748-b3e4-2cf828479726",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5",
"created": "2022-09-27T16:38:57.931Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T16:38:57.931Z",
+ "modified": "2025-04-16T23:03:52.423Z",
"description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9f2926a2-596f-459e-827e-6fe2d4646efd.json b/ics-attack/relationship/relationship--9f2926a2-596f-459e-827e-6fe2d4646efd.json
index 77038ab3bf..65e3859436 100644
--- a/ics-attack/relationship/relationship--9f2926a2-596f-459e-827e-6fe2d4646efd.json
+++ b/ics-attack/relationship/relationship--9f2926a2-596f-459e-827e-6fe2d4646efd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c1329570-dca5-4ddd-9c4d-d769019776cf",
+ "id": "bundle--ae6abaf9-02c6-4f8e-9ee3-97605d74fb91",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--9f2926a2-596f-459e-827e-6fe2d4646efd",
"created": "2023-09-29T18:06:46.756Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:06:46.756Z",
+ "modified": "2025-04-16T23:03:52.641Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9f43126d-5f6c-42a9-9908-49175c27ead7.json b/ics-attack/relationship/relationship--9f43126d-5f6c-42a9-9908-49175c27ead7.json
index a58460da1f..309b432226 100644
--- a/ics-attack/relationship/relationship--9f43126d-5f6c-42a9-9908-49175c27ead7.json
+++ b/ics-attack/relationship/relationship--9f43126d-5f6c-42a9-9908-49175c27ead7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2513d92d-3288-4dc4-a7cb-7380ef36d14e",
+ "id": "bundle--810a3173-2bbe-4502-b95b-6b8d21c938a1",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-08-20T19:05:06.892Z",
+ "modified": "2025-04-16T22:35:48.256Z",
"description": "(Citation: Industroyer2 ESET April 2022)(Citation: mandiant_apt44_unearthing_sandworm)",
"relationship_type": "uses",
"source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
"target_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json b/ics-attack/relationship/relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json
index b79d5999c1..f757333a9e 100644
--- a/ics-attack/relationship/relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json
+++ b/ics-attack/relationship/relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--32e1fa0b-c627-434e-907b-90e29c8cb9d8",
+ "id": "bundle--ac1a4c9b-b221-4bff-b565-0773967722ee",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3",
"created": "2023-09-28T21:12:14.470Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:12:14.470Z",
+ "modified": "2025-04-16T23:03:52.949Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json b/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json
index 1337d51a88..a3822f7727 100644
--- a/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json
+++ b/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6d8b20fc-9acc-404a-a5c4-77867c232eab",
+ "id": "bundle--23f7838d-b920-4a08-be4f-292f4b1ed613",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:54:30.385Z",
+ "modified": "2025-04-16T23:03:53.161Z",
"description": "Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0604) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949.json b/ics-attack/relationship/relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949.json
index 78255865d1..a397c82564 100644
--- a/ics-attack/relationship/relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949.json
+++ b/ics-attack/relationship/relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ea03606b-eb0f-41eb-8b15-4b6b5d275b64",
+ "id": "bundle--d75931e9-b43a-4dad-828f-f6113505d46b",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.265Z",
+ "modified": "2025-04-16T23:03:53.416Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47.json b/ics-attack/relationship/relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47.json
index 66a0e2f568..c99433a8f6 100644
--- a/ics-attack/relationship/relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47.json
+++ b/ics-attack/relationship/relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6baee544-dd0b-41af-8c08-a9f5f0c05872",
+ "id": "bundle--19a93cfe-50ab-4ae8-b4a4-5efaf48846fb",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47",
"created": "2023-09-28T20:04:19.147Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:04:19.147Z",
+ "modified": "2025-04-16T23:03:53.610Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json b/ics-attack/relationship/relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json
index 47f0a57fb3..5350b6228d 100644
--- a/ics-attack/relationship/relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json
+++ b/ics-attack/relationship/relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--96e42a52-c804-48b5-93f4-54f7bf26d6e9",
+ "id": "bundle--7ae48c1a-1d9a-4c24-a2b3-c92f2c991864",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:40:06.988Z",
+ "modified": "2025-04-16T23:03:53.816Z",
"description": "Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8",
"target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json b/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json
index ac4aa9ec12..8763aec822 100644
--- a/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json
+++ b/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b6d77ae0-99fd-4232-ae44-e23ab8a4ae93",
+ "id": "bundle--66e863aa-f465-424c-9c44-3a658933cb27",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:54:58.401Z",
+ "modified": "2025-04-16T23:03:54.013Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of view. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json b/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json
index 15f2b7e353..226b19dcdd 100644
--- a/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json
+++ b/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--8ed6e18c-982c-4227-9332-0b1396d40af3",
+ "id": "bundle--e0fab239-8578-4df2-b25d-bc0953ccb7d7",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.069Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:03:54.224Z",
"description": "Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
"target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json b/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json
index 0a723fd886..ca26c62b71 100644
--- a/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json
+++ b/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--4dd250b2-5ba5-4a74-8dad-65fbf364d826",
+ "id": "bundle--fb883dc2-18e3-4aba-99c6-2c9486b636a2",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.233Z",
- "relationship_type": "mitigates",
- "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: CISA June 2013)\n",
- "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65",
- "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "CISA June 2013",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:54.421Z",
+ "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: CISA June 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65",
+ "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a1454196-0d86-49f2-8dcb-61145a16b21e.json b/ics-attack/relationship/relationship--a1454196-0d86-49f2-8dcb-61145a16b21e.json
index a5437dab43..abcb63d11c 100644
--- a/ics-attack/relationship/relationship--a1454196-0d86-49f2-8dcb-61145a16b21e.json
+++ b/ics-attack/relationship/relationship--a1454196-0d86-49f2-8dcb-61145a16b21e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3882f1af-0963-4064-8767-8886369bc697",
+ "id": "bundle--2e421851-778c-4314-955f-e137a62c0875",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:33:05.248Z",
+ "modified": "2025-04-16T23:03:54.635Z",
"description": "Monitor for files accessed on removable media, particularly those with executable content.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
"target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a15d718f-af30-4745-a837-887ba8f48727.json b/ics-attack/relationship/relationship--a15d718f-af30-4745-a837-887ba8f48727.json
index 0d116d03ca..d19ffe6ea1 100644
--- a/ics-attack/relationship/relationship--a15d718f-af30-4745-a837-887ba8f48727.json
+++ b/ics-attack/relationship/relationship--a15d718f-af30-4745-a837-887ba8f48727.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e4a827b4-5491-4bba-90b4-64fa2805a95b",
+ "id": "bundle--4ad79d92-20a5-43d8-805c-2560ed830a5c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a15d718f-af30-4745-a837-887ba8f48727",
"created": "2023-09-29T16:30:46.705Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:30:46.705Z",
+ "modified": "2025-04-16T23:03:54.855Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json b/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json
index afd20af0af..365fc8d6e2 100644
--- a/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json
+++ b/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ab9208ef-a20e-4dba-93af-fde35471f1b6",
+ "id": "bundle--688bf171-1a71-4311-afd2-bead64275c38",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:55:26.032Z",
+ "modified": "2025-04-16T23:03:55.071Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604) has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files. (Citation: Dragos Inc. June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476.json b/ics-attack/relationship/relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476.json
index 04bdad9bd2..882c162d5b 100644
--- a/ics-attack/relationship/relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476.json
+++ b/ics-attack/relationship/relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7e82319b-f7c7-4e62-a073-bfe1ea668a56",
+ "id": "bundle--6bd232cb-ed9b-47d9-aad8-60466bf17a96",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476",
"created": "2023-09-29T16:43:16.472Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:43:16.472Z",
+ "modified": "2025-04-16T23:03:55.269Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3.json b/ics-attack/relationship/relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3.json
index d066381249..1ae295b70a 100644
--- a/ics-attack/relationship/relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3.json
+++ b/ics-attack/relationship/relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--06ae6a39-fb09-4ffe-b83f-220d308b9e4f",
+ "id": "bundle--58b713a0-a0e3-404d-b28c-d7af4a326743",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3",
"created": "2023-09-29T16:28:17.629Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:28:17.629Z",
+ "modified": "2025-04-16T23:03:55.467Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a2142552-6b8d-4751-a3d4-1471420c02fc.json b/ics-attack/relationship/relationship--a2142552-6b8d-4751-a3d4-1471420c02fc.json
index 94c9eb9dcc..ef3a1a3634 100644
--- a/ics-attack/relationship/relationship--a2142552-6b8d-4751-a3d4-1471420c02fc.json
+++ b/ics-attack/relationship/relationship--a2142552-6b8d-4751-a3d4-1471420c02fc.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0a756b66-aa53-40cc-be15-c8fe50cc123e",
+ "id": "bundle--68dd92d8-0765-43af-bab8-9ce8a9796c15",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:15:48.476Z",
+ "modified": "2025-04-16T23:03:55.670Z",
"description": "Monitor for newly constructed network connections into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp:3389 and tcp:22 for remote logins. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to enable remote logins.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039.json b/ics-attack/relationship/relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039.json
index 6bd2941d08..3dd9ec0603 100644
--- a/ics-attack/relationship/relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039.json
+++ b/ics-attack/relationship/relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3cdec62b-027e-4dce-b9b0-db87f0a98a72",
+ "id": "bundle--3c289415-4f36-44a8-8fb2-cae43a4aa03f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039",
"created": "2023-09-28T21:16:05.517Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:16:05.517Z",
+ "modified": "2025-04-16T23:03:55.878Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json b/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json
index 16bbc16210..e5b4e826e7 100644
--- a/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json
+++ b/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--a9d87d4b-d2ae-4de7-b22b-7c18d2c8776d",
+ "id": "bundle--f52b20cd-8eca-4d88-a313-6d07bfe6952e",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--a22fabd2-836e-4141-9219-c76cc10138ec",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.100Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:03:56.065Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json b/ics-attack/relationship/relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json
index 88f99eff99..7da1023673 100644
--- a/ics-attack/relationship/relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json
+++ b/ics-attack/relationship/relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4c23ec1a-4c3f-4bd0-ba2d-27a565b66284",
+ "id": "bundle--4e3f17db-aea7-49cc-985d-b14a4b7bc390",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b",
"created": "2023-09-29T16:44:03.912Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:44:03.912Z",
+ "modified": "2025-04-16T23:03:56.284Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d.json b/ics-attack/relationship/relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d.json
index 1199c31eb3..3dd868c357 100644
--- a/ics-attack/relationship/relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d.json
+++ b/ics-attack/relationship/relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--eac61be9-9db6-4ce2-ad63-f1b28995e1b2",
+ "id": "bundle--9e27856b-f579-4d6e-a129-f561e320998a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d",
"created": "2023-09-29T18:04:05.993Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:04:05.993Z",
+ "modified": "2025-04-16T23:03:56.481Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json b/ics-attack/relationship/relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json
index 461257a7d0..b657c8432f 100644
--- a/ics-attack/relationship/relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json
+++ b/ics-attack/relationship/relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--492a277c-dc31-44e5-9ba5-07d56dfe1f00",
+ "id": "bundle--5eac30fa-f094-431a-992a-ac6ca5ccc6c5",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:50:54.867Z",
+ "modified": "2025-04-16T23:03:56.721Z",
"description": "On Windows and Unix systems monitor executed commands and arguments that may use shell commands for execution. Shells may be common on administrator, developer, or power user systems depending on job function.\n\nOn network device and embedded system CLIs consider reviewing command history if unauthorized or suspicious commands were used to modify device configuration.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json b/ics-attack/relationship/relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json
index 054de65ab5..41c5543e2e 100644
--- a/ics-attack/relationship/relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json
+++ b/ics-attack/relationship/relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e2fe84b4-39fa-4a93-8030-b432eb876d33",
+ "id": "bundle--7aa24852-acd0-4692-a8b3-dedc453fbba9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9",
"created": "2023-09-29T16:36:28.818Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:36:28.818Z",
+ "modified": "2025-04-16T23:03:56.945Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json b/ics-attack/relationship/relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json
index e3d092d90d..26af0a10f0 100644
--- a/ics-attack/relationship/relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json
+++ b/ics-attack/relationship/relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2676b228-66d9-436a-91c9-437d8d05a88c",
+ "id": "bundle--40382281-259f-45ed-9212-67b4549a7098",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7",
"created": "2023-09-29T16:39:54.248Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:39:54.248Z",
+ "modified": "2025-04-16T23:03:57.163Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a45cec05-2d81-4db1-9267-db8be498e0d2.json b/ics-attack/relationship/relationship--a45cec05-2d81-4db1-9267-db8be498e0d2.json
index 1014423a34..22fea97f0f 100644
--- a/ics-attack/relationship/relationship--a45cec05-2d81-4db1-9267-db8be498e0d2.json
+++ b/ics-attack/relationship/relationship--a45cec05-2d81-4db1-9267-db8be498e0d2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f7b13e2e-e62f-4298-a23a-c994f590cf84",
+ "id": "bundle--2df43aa3-a546-4a25-a4e1-0c2172d98775",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a45cec05-2d81-4db1-9267-db8be498e0d2",
"created": "2023-09-29T16:46:50.699Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:46:50.699Z",
+ "modified": "2025-04-16T23:03:57.362Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json b/ics-attack/relationship/relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json
index 794cab2f8f..cc7015ba92 100644
--- a/ics-attack/relationship/relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json
+++ b/ics-attack/relationship/relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b899bdb0-7d8a-444d-b750-8a3f1c25b88b",
+ "id": "bundle--3e479b6c-fc8d-478b-a1f2-6018830dd8d4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac",
"created": "2023-09-29T17:40:58.726Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:40:58.726Z",
+ "modified": "2025-04-16T23:03:57.565Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63.json b/ics-attack/relationship/relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63.json
index 7929af31da..ca4e23c6fb 100644
--- a/ics-attack/relationship/relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63.json
+++ b/ics-attack/relationship/relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9e12ccd7-9028-4bee-921b-acf20f80f1ba",
+ "id": "bundle--acad32b0-911c-41b1-aa98-48ee9a8009d6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63",
"created": "2023-09-29T17:57:44.978Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:57:44.978Z",
+ "modified": "2025-04-16T23:03:57.777Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json b/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json
index 2fa8afe530..a5210a3ec0 100644
--- a/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json
+++ b/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dbe807b3-1308-4e5a-9c3a-c315449d9c07",
+ "id": "bundle--b2f83043-8dff-4ee9-b0a0-a9caf2620fab",
"spec_version": "2.0",
"objects": [
{
@@ -29,15 +29,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T13:20:11.016Z",
+ "modified": "2025-04-16T23:03:57.968Z",
"description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json b/ics-attack/relationship/relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json
index 8c59eb95c7..66c850f799 100644
--- a/ics-attack/relationship/relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json
+++ b/ics-attack/relationship/relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--27804446-54a5-4fb8-91b8-134b81aa7628",
+ "id": "bundle--27414250-65e4-49f6-a9a3-9546403bc519",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5",
"created": "2023-09-29T17:40:08.922Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:40:08.922Z",
+ "modified": "2025-04-16T23:03:58.166Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json b/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json
index 300c895afc..42fe3d62b0 100644
--- a/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json
+++ b/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b8f395e0-5399-465a-936c-1d5255c4ecc7",
+ "id": "bundle--40f848f2-b0f8-4b80-af7f-5540e271aed8",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:02:30.876Z",
+ "modified": "2025-04-16T23:03:58.388Z",
"description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)",
"relationship_type": "uses",
"source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe",
"target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf.json b/ics-attack/relationship/relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf.json
index 21050a0d12..1ca71a9c0c 100644
--- a/ics-attack/relationship/relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf.json
+++ b/ics-attack/relationship/relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b036d20a-59dc-4cf9-9eab-6e216a665628",
+ "id": "bundle--6d81a1d2-7d07-4c72-bd65-86528f26e41e",
"spec_version": "2.0",
"objects": [
{
@@ -12,7 +12,7 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
},
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-27T15:28:24.006Z",
+ "modified": "2025-04-16T23:03:58.585Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) remotely discovered operational assets once on the OT network. (Citation: Charles McLellan March 2016) (Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json b/ics-attack/relationship/relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json
index 1e55a9e176..268bcac6f7 100644
--- a/ics-attack/relationship/relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json
+++ b/ics-attack/relationship/relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ef6bb9bd-c028-4021-b014-c99c1c3dc4df",
+ "id": "bundle--864af6e6-5a8b-4d60-b130-d9e9c2a4a5ec",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:14:57.034Z",
+ "modified": "2025-04-16T23:03:58.780Z",
"description": "Monitor for alarm setting changes observable in automation or management network protocols.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a6277ff6-9cdf-484f-a902-3f9442039905.json b/ics-attack/relationship/relationship--a6277ff6-9cdf-484f-a902-3f9442039905.json
index c1186672ed..00600a5ff7 100644
--- a/ics-attack/relationship/relationship--a6277ff6-9cdf-484f-a902-3f9442039905.json
+++ b/ics-attack/relationship/relationship--a6277ff6-9cdf-484f-a902-3f9442039905.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--99830016-fbe9-4981-b7cf-2ea8ba3fb162",
+ "id": "bundle--ef9d80bb-d212-48a9-a5a0-2f66fe126605",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a6277ff6-9cdf-484f-a902-3f9442039905",
"created": "2024-09-11T22:55:18.833Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-09-11T22:55:18.833Z",
+ "modified": "2025-04-16T23:03:58.990Z",
"description": "[Fuxnet](https://attack.mitre.org/software/S1157) shut down remote access services such as SSH, HTTP, telnet, and SNMP to a device along with deleting the routing table for routing devices to inhibit system accessibility and communication.(Citation: Claroty Fuxnet 2024)",
"relationship_type": "uses",
"source_ref": "malware--931e2489-8078-4f9f-85b2-a9211950e75b",
"target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a6479493-6154-408f-90df-9d2f3ae352d1.json b/ics-attack/relationship/relationship--a6479493-6154-408f-90df-9d2f3ae352d1.json
index 93bb9a7353..4e33f6b7bf 100644
--- a/ics-attack/relationship/relationship--a6479493-6154-408f-90df-9d2f3ae352d1.json
+++ b/ics-attack/relationship/relationship--a6479493-6154-408f-90df-9d2f3ae352d1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c3c7a3dc-0af2-4979-94d0-67bb4d39adc8",
+ "id": "bundle--5ab9c197-8cba-44d2-8191-b10ab8a13350",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-07T17:06:53.070Z",
+ "modified": "2025-04-16T23:03:59.266Z",
"description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems.(Citation: Dragos Crashoverride 2018)",
"relationship_type": "uses",
"source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json b/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json
index 287416ac4e..e7156c1ad3 100644
--- a/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json
+++ b/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--de952c8c-cb92-48b4-b01b-6896d76ab4e1",
+ "id": "bundle--ed6f0e12-bda5-4fc2-b6ca-8358bea045d5",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:47:16.775Z",
+ "modified": "2025-04-16T23:03:59.465Z",
"description": "[EKANS](https://attack.mitre.org/software/S0605) infection resulted in a temporary production loss within a Honda manufacturing plant. (Citation: Davey Winder June 2020)",
"relationship_type": "uses",
"source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5",
"target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json b/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json
index ede20c096d..050002ade0 100644
--- a/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json
+++ b/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9204fd6a-6854-4209-9429-c37c9aedfb0c",
+ "id": "bundle--91a003af-59c4-4ca7-b111-9cac7030fe49",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-31T20:13:05.134Z",
+ "modified": "2025-04-16T23:03:59.704Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json b/ics-attack/relationship/relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json
index 6f1ee8535c..540753d914 100644
--- a/ics-attack/relationship/relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json
+++ b/ics-attack/relationship/relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c88ac185-b045-4c04-8deb-855b3eaf292b",
+ "id": "bundle--d3c3a1e2-82e7-4548-8b6e-0c8c121d8dc2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7",
"created": "2023-09-29T17:05:56.185Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:05:56.185Z",
+ "modified": "2025-04-16T23:03:59.902Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927.json b/ics-attack/relationship/relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927.json
index fa73e7b436..decda81964 100644
--- a/ics-attack/relationship/relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927.json
+++ b/ics-attack/relationship/relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--9fb265f0-ff1b-4c45-a1a2-dee7bfddfae4",
+ "id": "bundle--01679d2e-86d0-4ad6-99b4-acabe4b60457",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927",
"created": "2023-03-30T14:08:06.442Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T14:08:06.442Z",
+ "modified": "2025-04-16T23:04:00.124Z",
"description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a",
"target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a72c212f-6d4f-4c5d-873d-afa42021024c.json b/ics-attack/relationship/relationship--a72c212f-6d4f-4c5d-873d-afa42021024c.json
index 62f0d39269..46a18529f0 100644
--- a/ics-attack/relationship/relationship--a72c212f-6d4f-4c5d-873d-afa42021024c.json
+++ b/ics-attack/relationship/relationship--a72c212f-6d4f-4c5d-873d-afa42021024c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--034308f9-3dd2-4f37-869e-5e200c4c82ef",
+ "id": "bundle--f8a5171f-8263-40dd-840e-364d0ca5bd16",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a72c212f-6d4f-4c5d-873d-afa42021024c",
"created": "2024-03-26T15:42:10.203Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-26T15:42:10.203Z",
+ "modified": "2025-04-16T23:04:00.313Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a731ad54-0c3c-47bb-9559-d99950782beb.json b/ics-attack/relationship/relationship--a731ad54-0c3c-47bb-9559-d99950782beb.json
index 1f36605ca1..08dfbd4c67 100644
--- a/ics-attack/relationship/relationship--a731ad54-0c3c-47bb-9559-d99950782beb.json
+++ b/ics-attack/relationship/relationship--a731ad54-0c3c-47bb-9559-d99950782beb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--04099b9d-5ae6-43c3-96ee-892405569266",
+ "id": "bundle--450e5182-47d8-4f6f-af33-f27635de0404",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T19:22:39.784Z",
+ "modified": "2025-04-16T23:04:00.526Z",
"description": "Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json b/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json
index 9986a4d3ae..af7477aa33 100644
--- a/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json
+++ b/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--82200ed9-ec65-4c58-a9ff-8ef3a620eac4",
+ "id": "bundle--f3c20e73-c2a0-43fa-80ea-30531d834096",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.218Z",
- "relationship_type": "mitigates",
- "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:00.728Z",
+ "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json b/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json
index 39efdf9862..0b8f242300 100644
--- a/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json
+++ b/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--4bb9a273-74d7-4a9d-b1b6-df601c88bcf0",
+ "id": "bundle--aa8060b0-55fc-4f78-bf4e-1487e82cf98f",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--a75ddacf-e87e-4a99-83f2-618486473163",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--a75ddacf-e87e-4a99-83f2-618486473163",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.217Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:00.928Z",
"description": "Patch the BIOS and EFI as necessary.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json b/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json
index 037c2d63b9..522122f85e 100644
--- a/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json
+++ b/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--8361f67a-b118-4378-b81d-a7039bb7e24f",
+ "id": "bundle--ab4a7787-adfd-4640-8bdb-ccd4a3d32439",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--a78e727c-8e42-448c-beb4-463804e18be0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.123Z",
- "relationship_type": "mitigates",
- "description": "Minimize permissions and access for service accounts to limit impact of exploitation. (Citation: Keith Stouffer May 2015)\n",
- "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
- "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Keith Stouffer May 2015",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:01.131Z",
+ "description": "Minimize permissions and access for service accounts to limit impact of exploitation. (Citation: Keith Stouffer May 2015)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
+ "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json b/ics-attack/relationship/relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json
index ad78ccca6f..1b66f0892d 100644
--- a/ics-attack/relationship/relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json
+++ b/ics-attack/relationship/relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8b4a25b1-e3ab-4118-8f79-bf434fba5123",
+ "id": "bundle--4027f8a2-98bb-458f-ad30-23d02bb073b2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac",
"created": "2023-09-28T19:41:16.927Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:41:16.927Z",
+ "modified": "2025-04-16T23:04:01.326Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393.json b/ics-attack/relationship/relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393.json
index b986327caf..b57687c4f5 100644
--- a/ics-attack/relationship/relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393.json
+++ b/ics-attack/relationship/relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fd4f9c24-34b3-4efe-a3f5-e6ace929b6e7",
+ "id": "bundle--a9397f27-a9a7-4f70-8b30-9896d303dd0e",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Elastic - Koadiac Detection with EQL",
- "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.",
- "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
+ "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.",
+ "url": "https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:49:34.799Z",
+ "modified": "2025-04-16T23:04:01.540Z",
"description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6.json b/ics-attack/relationship/relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6.json
index 249ffb30df..ff68140420 100644
--- a/ics-attack/relationship/relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6.json
+++ b/ics-attack/relationship/relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9f5d68dc-e82d-457d-aaa4-5aaa0430011f",
+ "id": "bundle--154013b9-689f-49e8-9d11-ba6279d2367d",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:33:22.909Z",
+ "modified": "2025-04-16T23:04:01.767Z",
"description": "Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json b/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json
index 5c9e8e1c47..89437dbff2 100644
--- a/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json
+++ b/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--65c8d6ed-dd68-4a0b-8791-bd1b41de9bbc",
+ "id": "bundle--00f79ae3-e1b8-490f-8e57-07a7b68b20cd",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:42:02.105Z",
+ "modified": "2025-04-16T23:04:01.971Z",
"description": "All field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a.json b/ics-attack/relationship/relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a.json
index 7b62d1cfdc..faed66eadd 100644
--- a/ics-attack/relationship/relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a.json
+++ b/ics-attack/relationship/relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1f849702-0462-4976-bee6-d76aa3927ba1",
+ "id": "bundle--28bf98bf-30e6-47ed-bc3c-11e5bcd7e542",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a",
"created": "2022-09-29T14:27:05.757Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-29T14:27:05.757Z",
+ "modified": "2025-04-16T23:04:02.178Z",
"description": "Monitor logon sessions for hardcoded credential use, when feasible.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5",
"target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json b/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json
index 5bb2ca7671..cf8623f93c 100644
--- a/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json
+++ b/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--844a3c25-c8ae-47c5-87f0-011de4d28a1a",
+ "id": "bundle--528b54a7-21b7-4a18-8988-322d76cd8501",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.126Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:02.422Z",
"description": "Consider utilizing jump boxes for external remote access. Additionally, dynamic account management may be used to easily remove accounts when not in use.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48",
"target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61.json b/ics-attack/relationship/relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61.json
index 5e3453d991..6044ab1ba7 100644
--- a/ics-attack/relationship/relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61.json
+++ b/ics-attack/relationship/relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7668763f-58e7-46b8-b351-21565dae12c4",
+ "id": "bundle--66323924-8901-4e00-8e9a-b7b8b6992043",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:39:30.850Z",
+ "modified": "2025-04-16T23:04:02.626Z",
"description": "Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
"target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json b/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json
index d9cc44aee5..d5f0152ab6 100644
--- a/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json
+++ b/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c2a4d6c0-5660-4715-b229-383202f39741",
+ "id": "bundle--4228707e-cf83-4606-a6e6-c9052034daa2",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T16:59:07.486Z",
+ "modified": "2025-04-16T23:04:02.855Z",
"description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. (Citation: ICS-CERT December 2014) (Citation: ICS CERT September 2018)",
"relationship_type": "uses",
"source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
"target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json b/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json
index f554644395..0809250d3d 100644
--- a/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json
+++ b/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--dbf183cc-b523-49b9-beb6-c6f6a45af40b",
+ "id": "bundle--16ae222d-2ef1-4119-94d5-8da8d00adc28",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.125Z",
- "relationship_type": "mitigates",
- "description": "Consider removal of remote services which are not regularly in use, or only enabling them when required (e.g., vendor remote access). Ensure all external remote access point (e.g., jump boxes, VPN concentrator) are configured with least functionality, especially the removal of unnecessary services. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7",
- "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:03.070Z",
+ "description": "Consider removal of remote services which are not regularly in use, or only enabling them when required (e.g., vendor remote access). Ensure all external remote access point (e.g., jump boxes, VPN concentrator) are configured with least functionality, especially the removal of unnecessary services. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7",
+ "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json b/ics-attack/relationship/relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json
index 74b0a3c766..e689f80de7 100644
--- a/ics-attack/relationship/relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json
+++ b/ics-attack/relationship/relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7a8ade91-96b6-4631-bdbe-477322b7b915",
+ "id": "bundle--b06151a3-6700-46ac-b261-0be77f91925d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1",
"created": "2023-09-28T20:28:27.970Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:28:27.970Z",
+ "modified": "2025-04-16T23:04:03.314Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json b/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json
index 1043917a32..fd767657a9 100644
--- a/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json
+++ b/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--20e1faa7-e5f4-44b2-94b4-d52a3347a406",
+ "id": "bundle--a1b54a48-34b0-4c9e-86f4-6f077db83871",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--a86cee0a-dc49-4c95-b5dc-37405337490b",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--a86cee0a-dc49-4c95-b5dc-37405337490b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.079Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:03.514Z",
"description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json b/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json
index faf097b590..2db1e9321c 100644
--- a/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json
+++ b/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--94a70acf-30af-4c31-8173-38b9d4836bd6",
+ "id": "bundle--f3c42e47-132a-43a7-945d-d811cf804315",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:46:24.589Z",
+ "modified": "2025-04-16T23:04:03.727Z",
"description": "Utilize code signatures to verify the integrity and authenticity of programs installed on safety or control assets.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a",
"target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a91295dc-b381-4dc9-9384-9f9949066778.json b/ics-attack/relationship/relationship--a91295dc-b381-4dc9-9384-9f9949066778.json
index 4633b7a876..f67755b23b 100644
--- a/ics-attack/relationship/relationship--a91295dc-b381-4dc9-9384-9f9949066778.json
+++ b/ics-attack/relationship/relationship--a91295dc-b381-4dc9-9384-9f9949066778.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--726fcc86-63ed-4394-bca6-853e16e26acf",
+ "id": "bundle--9ff3beac-2065-4aae-adac-ddedef3c05eb",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a91295dc-b381-4dc9-9384-9f9949066778",
"created": "2023-09-29T18:42:18.446Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:42:18.446Z",
+ "modified": "2025-04-16T23:04:03.935Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a93ba793-24dd-47dd-b32c-4c3016124c90.json b/ics-attack/relationship/relationship--a93ba793-24dd-47dd-b32c-4c3016124c90.json
index abb0929b69..64dd5f86f3 100644
--- a/ics-attack/relationship/relationship--a93ba793-24dd-47dd-b32c-4c3016124c90.json
+++ b/ics-attack/relationship/relationship--a93ba793-24dd-47dd-b32c-4c3016124c90.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ce4cbb3d-3af4-4372-8f0e-30e85b688c03",
+ "id": "bundle--9f59b07b-f681-4093-a4b4-8c7a92250410",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--a93ba793-24dd-47dd-b32c-4c3016124c90",
"created": "2023-09-29T18:43:02.969Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:43:02.969Z",
+ "modified": "2025-04-16T23:04:04.140Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json b/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json
index a954a1303f..b5f2ec40fb 100644
--- a/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json
+++ b/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2681822f-43f1-4852-95bf-64a75c3ce04f",
+ "id": "bundle--591d93c4-167e-4c16-a66f-ab2910b9d02a",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:27:55.358Z",
+ "modified": "2025-04-16T23:04:04.390Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. (Citation: MDudek-ICS)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--aa205915-7571-47ee-8bc6-5aa1ace86690.json b/ics-attack/relationship/relationship--aa205915-7571-47ee-8bc6-5aa1ace86690.json
index 177ac0f699..d79d9f06b0 100644
--- a/ics-attack/relationship/relationship--aa205915-7571-47ee-8bc6-5aa1ace86690.json
+++ b/ics-attack/relationship/relationship--aa205915-7571-47ee-8bc6-5aa1ace86690.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6b3ef798-ed85-4739-9e42-c20bb2cb42cf",
+ "id": "bundle--15fe3bed-8c0e-46c9-82ad-8f761dad586d",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:52:11.111Z",
+ "modified": "2025-04-16T23:04:04.596Z",
"description": "Devices may produce alarms about restarts or shutdowns. Monitor for unexpected device restarts or shutdowns.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91.json b/ics-attack/relationship/relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91.json
index 553dbd6381..355098ff0f 100644
--- a/ics-attack/relationship/relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91.json
+++ b/ics-attack/relationship/relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--45832ee5-37a4-4c74-a4df-80f159c3fc23",
+ "id": "bundle--a4c40b8b-f1c9-4919-8f22-c19b151d6e33",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91",
"created": "2022-09-26T16:35:07.728Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:35:07.728Z",
+ "modified": "2025-04-16T23:04:04.805Z",
"description": "Monitor for new master devices communicating with outstations, which may be visible in alarms within the ICS environment.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba.json b/ics-attack/relationship/relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba.json
index 4adbd1e4c6..4bbea7093d 100644
--- a/ics-attack/relationship/relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba.json
+++ b/ics-attack/relationship/relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--133f8ad0-c407-41ef-8775-e4fdb0fb903a",
+ "id": "bundle--0ac0b279-b072-41a9-aef8-c61cc206ba09",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba",
"created": "2023-09-29T17:42:56.284Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:42:56.284Z",
+ "modified": "2025-04-16T23:04:04.996Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa.json b/ics-attack/relationship/relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa.json
index 953a9efd50..8909b36943 100644
--- a/ics-attack/relationship/relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa.json
+++ b/ics-attack/relationship/relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8f188945-2903-4138-8ce5-0fb6664dcff7",
+ "id": "bundle--cfc86d28-a765-43e3-9160-f2d00bf5ac89",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa",
"created": "2023-03-30T19:03:59.066Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:03:59.066Z",
+ "modified": "2025-04-16T23:04:05.230Z",
"description": "Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json b/ics-attack/relationship/relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json
index a26ab69c62..53b9fb09f6 100644
--- a/ics-attack/relationship/relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json
+++ b/ics-attack/relationship/relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e27e2a25-47cc-4742-8f2f-b3957729ed6e",
+ "id": "bundle--5d196f51-587e-496a-8c2e-266c535c3419",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:32:51.548Z",
+ "modified": "2025-04-16T23:04:05.429Z",
"description": "Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ab0b5170-577b-491e-8508-b9a34dc393c1.json b/ics-attack/relationship/relationship--ab0b5170-577b-491e-8508-b9a34dc393c1.json
index 8aa7fb3950..b46f0b4582 100644
--- a/ics-attack/relationship/relationship--ab0b5170-577b-491e-8508-b9a34dc393c1.json
+++ b/ics-attack/relationship/relationship--ab0b5170-577b-491e-8508-b9a34dc393c1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e5a8bd0b-4eeb-482b-84a3-de5a5b1d8664",
+ "id": "bundle--0677966e-0a22-436b-bcb6-519e6c63a777",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ab0b5170-577b-491e-8508-b9a34dc393c1",
"created": "2022-09-27T16:22:57.470Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T16:22:57.470Z",
+ "modified": "2025-04-16T23:04:05.628Z",
"description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs. Data from these platforms can be used to identify modified controller programs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d",
"target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json b/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json
index 9fa1f361f7..5fa471aa07 100644
--- a/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json
+++ b/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7903f729-abba-4d65-8704-67268cbfac87",
+ "id": "bundle--95ef3ab3-831d-4cf3-adda-7268222e47b4",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:06:16.474Z",
+ "modified": "2025-04-16T23:04:05.817Z",
"description": "The [REvil](https://attack.mitre.org/software/S0496) malware gained access to an organizations network and encrypted sensitive files used by OT equipment. (Citation: Selena Larson, Camille Singleton December 2020)",
"relationship_type": "uses",
"source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5",
"target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b.json b/ics-attack/relationship/relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b.json
index 899c6bb906..888ae81eb7 100644
--- a/ics-attack/relationship/relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b.json
+++ b/ics-attack/relationship/relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--54de64cd-7457-4b74-97b1-77089db658c8",
+ "id": "bundle--98f6cee2-3359-4ce0-b34c-981852de7d3a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b",
"created": "2023-09-29T17:37:50.048Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:37:50.048Z",
+ "modified": "2025-04-16T23:04:06.042Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json b/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json
index 399734cd4c..d4cab3702a 100644
--- a/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json
+++ b/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--44300c3c-3b1c-427c-ba7c-470c41f1aff6",
+ "id": "bundle--35552b8b-2050-4d6d-a1bf-277bdb5ea57e",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.080Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:06.270Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json b/ics-attack/relationship/relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json
index 52b52e4b8d..b77342b5e1 100644
--- a/ics-attack/relationship/relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json
+++ b/ics-attack/relationship/relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--cc364ead-6a8f-4a2b-a3f7-559e319e20b4",
+ "id": "bundle--96711797-2d33-43b6-b7fe-9b7b4b198338",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e",
"created": "2023-09-29T17:37:16.719Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:37:16.719Z",
+ "modified": "2025-04-16T23:04:06.487Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json b/ics-attack/relationship/relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json
index 7a314da9f1..f284fe37a9 100644
--- a/ics-attack/relationship/relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json
+++ b/ics-attack/relationship/relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--972af3ed-1ff6-4810-9db1-1174d7cb07ef",
+ "id": "bundle--715da7e3-b664-4289-a9c0-a720f1db1e6f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed",
"created": "2023-09-28T19:41:30.623Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:41:30.623Z",
+ "modified": "2025-04-16T23:04:06.728Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json b/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json
index 6a0b303459..e7e19b4f43 100644
--- a/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json
+++ b/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9415cfc5-5f95-4500-bacf-9d834c0c2f02",
+ "id": "bundle--491bcfcd-a3a8-4984-a3a1-a4450f035ef6",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:54:49.878Z",
+ "modified": "2025-04-16T23:04:06.928Z",
"description": "[KillDisk](https://attack.mitre.org/software/S0607) deletes application, security, setup, and system event logs from Windows systems. (Citation: Anton Cherepanov)",
"relationship_type": "uses",
"source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6",
"target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291.json b/ics-attack/relationship/relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291.json
index 0b86294f4e..c579adafb9 100644
--- a/ics-attack/relationship/relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291.json
+++ b/ics-attack/relationship/relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4c24bd67-def4-4dfc-ab8a-65e11fea0c78",
+ "id": "bundle--c6b5c522-67b8-4b82-80da-8b0e51fe638a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291",
"created": "2023-10-02T20:20:19.426Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:20:19.426Z",
+ "modified": "2025-04-16T23:04:07.145Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ac7b64c8-cac9-4efb-990e-eed5e7fb35ee.json b/ics-attack/relationship/relationship--ac7b64c8-cac9-4efb-990e-eed5e7fb35ee.json
new file mode 100644
index 0000000000..ba1986bf5f
--- /dev/null
+++ b/ics-attack/relationship/relationship--ac7b64c8-cac9-4efb-990e-eed5e7fb35ee.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--5ee4886e-9d4e-4690-ae74-3921191eebbe",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--ac7b64c8-cac9-4efb-990e-eed5e7fb35ee",
+ "created": "2024-11-20T23:26:28.979Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Dragos FROSTYGOOP 2024",
+ "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
+ "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:07.373Z",
+ "description": "During [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041), the adversary initiated a firmware downgrade on impacted devices.(Citation: Dragos FROSTYGOOP 2024)",
+ "relationship_type": "uses",
+ "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f",
+ "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ac933d76-8207-4bf7-add2-92b60cf3044b.json b/ics-attack/relationship/relationship--ac933d76-8207-4bf7-add2-92b60cf3044b.json
index 1179b25c2b..8b78f47ee0 100644
--- a/ics-attack/relationship/relationship--ac933d76-8207-4bf7-add2-92b60cf3044b.json
+++ b/ics-attack/relationship/relationship--ac933d76-8207-4bf7-add2-92b60cf3044b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--22e33ca6-0291-46f9-8a8c-56c01615d885",
+ "id": "bundle--1cd176d3-1dec-47d4-9fba-6c33a6cd28eb",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ac933d76-8207-4bf7-add2-92b60cf3044b",
"created": "2023-09-28T20:04:54.213Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:04:54.213Z",
+ "modified": "2025-04-16T23:04:07.564Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--acace658-da7e-4a19-aa98-8aec8c966dde.json b/ics-attack/relationship/relationship--acace658-da7e-4a19-aa98-8aec8c966dde.json
index b1584695f8..e629785ea5 100644
--- a/ics-attack/relationship/relationship--acace658-da7e-4a19-aa98-8aec8c966dde.json
+++ b/ics-attack/relationship/relationship--acace658-da7e-4a19-aa98-8aec8c966dde.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--31ac5782-afcb-462c-ae49-cc8854185a92",
+ "id": "bundle--a835739e-327f-4785-950e-669d16d8ff35",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.266Z",
+ "modified": "2025-04-16T23:04:07.778Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application. (Citation: Ukraine15 - EISAC - 201603)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json b/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json
index 1a495582d3..e284bc7109 100644
--- a/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json
+++ b/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json
@@ -1,30 +1,30 @@
{
"type": "bundle",
- "id": "bundle--a7ca1520-4ff3-44b4-b9d3-578715521f44",
+ "id": "bundle--f1175920-54ba-4a83-9e04-70897505755c",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "relationship--ad7770c3-fe24-4285-9ce2-1616a1061472",
"type": "relationship",
+ "id": "relationship--ad7770c3-fe24-4285-9ce2-1616a1061472",
"created": "2019-04-17T14:45:59.681Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
+ "source_name": "FireEye FIN6 Apr 2019",
"description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.",
- "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
- "source_name": "FireEye FIN6 Apr 2019"
+ "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html"
}
],
- "modified": "2019-06-28T14:59:17.849Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T22:39:22.852Z",
"description": "(Citation: FireEye FIN6 Apr 2019)",
"relationship_type": "uses",
"source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48",
- "x_mitre_version": "1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c.json b/ics-attack/relationship/relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c.json
index d223fc50ec..a69919b726 100644
--- a/ics-attack/relationship/relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c.json
+++ b/ics-attack/relationship/relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d49158dc-11f8-43d2-a892-70d191b5e5e3",
+ "id": "bundle--a76f8494-037f-4ded-9c6b-ebfd66d23d5e",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:36:33.957Z",
+ "modified": "2025-04-16T23:04:08.056Z",
"description": "Monitor network traffic for anomalies associated with known AiTM behavior. For Collection activity where transmitted data is not manipulated, anomalies may be present in network management protocols (e.g., ARP, DHCP).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json b/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json
index 2673a49d3a..d78efe6d45 100644
--- a/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json
+++ b/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--9bcce966-c22c-4de7-99c1-a872636e5a91",
+ "id": "bundle--adec8ea0-08bf-4c2c-a814-56b68d7020f9",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.111Z",
- "relationship_type": "mitigates",
- "description": "Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. (Citation: Karen Scarfone; Paul Hoffman September 2009)\n",
- "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9",
- "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Karen Scarfone; Paul Hoffman September 2009",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:08.275Z",
+ "description": "Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. (Citation: Karen Scarfone; Paul Hoffman September 2009)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9",
+ "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b.json b/ics-attack/relationship/relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b.json
index e3a9f0a962..2081771aef 100644
--- a/ics-attack/relationship/relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b.json
+++ b/ics-attack/relationship/relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--89134501-db97-4033-8736-66c219205d6e",
+ "id": "bundle--0165cb42-ef6c-426b-96ef-7f89d29add08",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b",
"created": "2023-09-28T21:12:39.257Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:12:39.257Z",
+ "modified": "2025-04-16T23:04:08.481Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json b/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json
index 36fa38e84c..d90721fea4 100644
--- a/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json
+++ b/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--0eed449e-0b47-41a6-9ba6-2081bd946c26",
+ "id": "bundle--6983f0ee-88b3-4349-9c5c-a0521c845824",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--ade12d27-13bb-4ebf-be08-7039cf699682",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--ade12d27-13bb-4ebf-be08-7039cf699682",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.065Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:08.707Z",
"description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
"target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--adf2072c-0341-4fc2-9d25-495b4af864e9.json b/ics-attack/relationship/relationship--adf2072c-0341-4fc2-9d25-495b4af864e9.json
index b95a8f1fef..0e85127219 100644
--- a/ics-attack/relationship/relationship--adf2072c-0341-4fc2-9d25-495b4af864e9.json
+++ b/ics-attack/relationship/relationship--adf2072c-0341-4fc2-9d25-495b4af864e9.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--fb2dd71f-a528-48b6-b3db-0ea8af87b8bf",
+ "id": "bundle--2563a259-bdc2-46ab-88ba-d8e1d33b2f9b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--adf2072c-0341-4fc2-9d25-495b4af864e9",
"created": "2023-03-10T20:09:22.370Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-10T20:09:22.370Z",
+ "modified": "2025-04-16T23:04:08.919Z",
"description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary temporarily shut an investigator out of the network preventing them from issuing any controls.(Citation: Marshall Abrams July 2008)",
"relationship_type": "uses",
"source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json b/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json
index be8e487f8c..3c64f369b8 100644
--- a/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json
+++ b/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--eef83e10-5c5d-44a6-9fc8-b2cbe1fcd25c",
+ "id": "bundle--f5b9cf70-5c16-40da-9bf5-c80c9cc720c0",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--ae10e97a-90ac-498b-8601-01081dc4af8b",
+ "created": "2021-04-12T18:59:17.429Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--ae10e97a-90ac-498b-8601-01081dc4af8b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2021-04-12T18:59:17.429Z",
- "modified": "2022-05-06T17:47:24.188Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:09.130Z",
"description": "Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json b/ics-attack/relationship/relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json
index 2297fea9eb..ee45ef5aab 100644
--- a/ics-attack/relationship/relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json
+++ b/ics-attack/relationship/relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1ddf6e86-c7c5-42d3-a0b5-2dd559174779",
+ "id": "bundle--8199182f-9729-423b-93ee-9a7c259da7c8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc",
"created": "2023-09-28T19:50:14.201Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:50:14.201Z",
+ "modified": "2025-04-16T23:04:09.371Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json b/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json
index a445dd6d03..635082ea8c 100644
--- a/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json
+++ b/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--ffd22de2-d6be-4cfd-8097-75c92c78c049",
+ "id": "bundle--765aaecd-71b5-4e56-a040-ea04b69a2328",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.167Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:09.574Z",
"description": "Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433",
"target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json b/ics-attack/relationship/relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json
index 6ebd056d28..9ae726e2ab 100644
--- a/ics-attack/relationship/relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json
+++ b/ics-attack/relationship/relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--8162b832-71ec-451b-b24c-c351ef0c46f1",
+ "id": "bundle--d5916b6b-d1df-4b00-9705-0a689ca4e479",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c",
"created": "2023-03-10T20:36:34.109Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-10T20:36:34.109Z",
+ "modified": "2025-04-16T23:04:09.798Z",
"description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations.(Citation: Marshall Abrams July 2008)",
"relationship_type": "uses",
"source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--af20f409-05ed-42c3-ae3e-09b047b84875.json b/ics-attack/relationship/relationship--af20f409-05ed-42c3-ae3e-09b047b84875.json
index 9a8703e1a8..0ebd348ae8 100644
--- a/ics-attack/relationship/relationship--af20f409-05ed-42c3-ae3e-09b047b84875.json
+++ b/ics-attack/relationship/relationship--af20f409-05ed-42c3-ae3e-09b047b84875.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--69c62600-1e6d-42e1-9294-81c919f23f93",
+ "id": "bundle--439ff4be-8c6b-4360-9c76-d7c48dfdac2c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--af20f409-05ed-42c3-ae3e-09b047b84875",
"created": "2023-09-25T20:49:25.308Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:49:25.308Z",
+ "modified": "2025-04-16T23:04:09.998Z",
"description": "All field controllers should require that user authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies,\u00a0Password Policies, and\u00a0User Account Management.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json b/ics-attack/relationship/relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json
index ea7c9100f0..535c93a7a8 100644
--- a/ics-attack/relationship/relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json
+++ b/ics-attack/relationship/relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--89dde6ba-875b-4e26-9aff-421ea3f7912f",
+ "id": "bundle--bbfafa40-6b5c-4e06-95e8-879efe1b5d2a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:39:13.371Z",
+ "modified": "2025-04-16T23:04:10.199Z",
"description": "Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379.json b/ics-attack/relationship/relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379.json
index 15fe1de375..38811fdb72 100644
--- a/ics-attack/relationship/relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379.json
+++ b/ics-attack/relationship/relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ebcf525b-16dd-4351-a538-4d005b0ad492",
+ "id": "bundle--a710ca42-62d5-4893-88aa-d757a93d9026",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379",
"created": "2023-09-28T21:17:32.313Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:17:32.313Z",
+ "modified": "2025-04-16T23:04:10.410Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d.json b/ics-attack/relationship/relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d.json
index eacbc8099e..bea9ebe4b6 100644
--- a/ics-attack/relationship/relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d.json
+++ b/ics-attack/relationship/relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--309b9ef2-71b5-42dc-a276-d12b3de252a8",
+ "id": "bundle--a8403fa0-9b97-45b4-818c-c94ba1116db1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d",
"created": "2023-09-29T16:44:42.393Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:44:42.393Z",
+ "modified": "2025-04-16T23:04:10.609Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json b/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json
index ac71549fc3..49d03cc7e5 100644
--- a/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json
+++ b/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--185955c4-2adf-49a1-991f-a57db931c865",
+ "id": "bundle--0ec4847a-08a8-4cdc-81f5-ee689e3b635d",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.133Z",
- "relationship_type": "mitigates",
- "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n",
- "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd",
- "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "M. Rentschler and H. Heine",
@@ -23,9 +15,16 @@
"url": "https://ieeexplore.ieee.org/document/6505877"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:10.861Z",
+ "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd",
+ "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json b/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json
index d6d333d131..95299cf1c8 100644
--- a/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json
+++ b/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--539772cb-7e79-4c8d-b1c9-983d2972a89f",
+ "id": "bundle--fcc39a10-8e09-4269-a89e-c8a5a47aa149",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.061Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:11.078Z",
"description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1.json b/ics-attack/relationship/relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1.json
index 9922ff6ef5..50767f5a39 100644
--- a/ics-attack/relationship/relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1.json
+++ b/ics-attack/relationship/relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9b94310e-925e-46a5-bd37-1cc71abf3a9d",
+ "id": "bundle--e66d0b93-02cd-4a38-91b3-c87e9418b7ca",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1",
"created": "2023-09-29T17:37:41.336Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:37:41.336Z",
+ "modified": "2025-04-16T23:04:11.313Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1.json b/ics-attack/relationship/relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1.json
index 685c70c30d..e6a572bcca 100644
--- a/ics-attack/relationship/relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1.json
+++ b/ics-attack/relationship/relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a126e153-9510-4f04-a52c-98f784b6b7c7",
+ "id": "bundle--ab706a4f-dd39-4d65-8b2a-c846ec36368a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1",
"created": "2023-09-29T16:40:30.440Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:40:30.440Z",
+ "modified": "2025-04-16T23:04:11.511Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b05d678b-4d87-4261-9366-f8b757a77661.json b/ics-attack/relationship/relationship--b05d678b-4d87-4261-9366-f8b757a77661.json
index fd3830043a..d1d18f52a5 100644
--- a/ics-attack/relationship/relationship--b05d678b-4d87-4261-9366-f8b757a77661.json
+++ b/ics-attack/relationship/relationship--b05d678b-4d87-4261-9366-f8b757a77661.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--85f0f3a1-dede-4ade-bccd-f3cfd4674216",
+ "id": "bundle--4c1db20e-898d-4a04-9dda-117fa8199778",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-10T15:01:54.735Z",
+ "modified": "2025-04-16T23:04:11.724Z",
"description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) would programmatically return the controller to a normal running state if the [Triton](https://attack.mitre.org/software/S1009) malware failed. If the controller could not recover in a defined time window, [TEMP.Veles](https://attack.mitre.org/groups/G0088) programmatically overwrote their malicious program with invalid data.(Citation: FireEye TRITON Dec 2017)",
"relationship_type": "uses",
"source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
"target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7.json b/ics-attack/relationship/relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7.json
index ce9e2ff9d6..fc2780e78c 100644
--- a/ics-attack/relationship/relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7.json
+++ b/ics-attack/relationship/relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--15fc1d56-0378-4942-8f8a-4180186b4a1f",
+ "id": "bundle--b39414be-ff6b-42d8-9ceb-e420b17bda72",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7",
"created": "2022-09-27T15:30:18.604Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T15:30:18.604Z",
+ "modified": "2025-04-16T23:04:11.923Z",
"description": "Monitor logs from installed applications (e.g., historian logs) for unexpected commands or abuse of system features.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b07e6896-a840-49a1-8d58-94396a902b95.json b/ics-attack/relationship/relationship--b07e6896-a840-49a1-8d58-94396a902b95.json
index b787c3c560..7a913c3f0c 100644
--- a/ics-attack/relationship/relationship--b07e6896-a840-49a1-8d58-94396a902b95.json
+++ b/ics-attack/relationship/relationship--b07e6896-a840-49a1-8d58-94396a902b95.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--99b5a599-ada0-4657-897f-1646629fbf8d",
+ "id": "bundle--db5a8808-8026-4f54-b72e-589ebbf27c46",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b07e6896-a840-49a1-8d58-94396a902b95",
"created": "2023-03-31T17:56:07.978Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-31T17:56:07.978Z",
+ "modified": "2025-04-16T23:04:12.125Z",
"description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) supplied the name of the payload DLL to [Industroyer](https://attack.mitre.org/software/S0604) via a command line parameter.(Citation: ESET Industroyer)",
"relationship_type": "uses",
"source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234",
"target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1.json b/ics-attack/relationship/relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1.json
index 9166431cc5..e44b7f12bc 100644
--- a/ics-attack/relationship/relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1.json
+++ b/ics-attack/relationship/relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--009dac21-3ac6-4b21-9821-728a6064ec24",
+ "id": "bundle--200d50f3-0e83-476e-8849-9db702cc6a0a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1",
"created": "2023-09-28T21:21:18.081Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:21:18.081Z",
+ "modified": "2025-04-16T23:04:12.342Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391.json b/ics-attack/relationship/relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391.json
index 65fc7426c3..539c7b8455 100644
--- a/ics-attack/relationship/relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391.json
+++ b/ics-attack/relationship/relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--39fc05e0-0b16-4298-8396-6681537389a0",
+ "id": "bundle--4ae8019d-ad82-4dd1-b03d-a1f075031820",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:43:36.467Z",
+ "modified": "2025-04-16T23:04:12.538Z",
"description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json b/ics-attack/relationship/relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json
index 4a4039b97e..4fd009a487 100644
--- a/ics-attack/relationship/relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json
+++ b/ics-attack/relationship/relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a8fd7486-ffb0-45d0-978e-31a6ea9f6ceb",
+ "id": "bundle--0a3370b0-1646-4487-b4fc-96d2f66b045e",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:59:13.486Z",
+ "modified": "2025-04-16T23:04:12.743Z",
"description": "Monitor for device alarms produced when parameters are changed, although not all devices will produce such alarms.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a.json b/ics-attack/relationship/relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a.json
index 7a2f2592a1..d31afc8918 100644
--- a/ics-attack/relationship/relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a.json
+++ b/ics-attack/relationship/relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4f008189-4d9b-44f1-af1a-5cc24099ca3a",
+ "id": "bundle--bd0062e5-16fd-440d-b6d0-454354ce61fb",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:56:58.977Z",
+ "modified": "2025-04-16T23:04:12.967Z",
"description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json b/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json
index b8100cf3a9..bc6b763db7 100644
--- a/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json
+++ b/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2d99e479-71af-48b5-b014-86b7a6686951",
+ "id": "bundle--aedd50dd-bfb5-4b93-961e-acfa17a1bfde",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T16:44:13.707Z",
+ "modified": "2025-04-16T23:04:13.168Z",
"description": "Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json b/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json
index 77560259d0..e602347a94 100644
--- a/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json
+++ b/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--3acc7d94-e23c-4a03-90d8-b92d78c5c936",
+ "id": "bundle--52bf1073-4799-4274-8b29-3e4b498e7c6a",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--b1768154-221c-48be-ab2b-549ec1eddafb",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.068Z",
- "relationship_type": "mitigates",
- "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Karen Scarfone; Paul Hoffman September 2009",
@@ -38,9 +30,16 @@
"url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:13.395Z",
+ "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec.json b/ics-attack/relationship/relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec.json
index 58a73383bc..9283dcd622 100644
--- a/ics-attack/relationship/relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec.json
+++ b/ics-attack/relationship/relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1d23e081-8f96-48ee-b05c-5b19c7b9e063",
+ "id": "bundle--18b72fc9-f9bb-4cf1-aefd-3d3ec23e978b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec",
"created": "2022-09-26T15:38:45.913Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:38:45.913Z",
+ "modified": "2025-04-16T23:04:13.597Z",
"description": "Monitor for loss of expected device alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b1921480-8499-46a9-8396-2a2d747c5861.json b/ics-attack/relationship/relationship--b1921480-8499-46a9-8396-2a2d747c5861.json
index c2d18e2f46..2f1da973d3 100644
--- a/ics-attack/relationship/relationship--b1921480-8499-46a9-8396-2a2d747c5861.json
+++ b/ics-attack/relationship/relationship--b1921480-8499-46a9-8396-2a2d747c5861.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--72923cf7-0ad2-4fa1-9dc7-fe2ff082a231",
+ "id": "bundle--8f90645d-f0e7-4ed2-9462-2e501ff72050",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b1921480-8499-46a9-8396-2a2d747c5861",
"created": "2023-09-28T19:58:00.892Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:58:00.892Z",
+ "modified": "2025-04-16T23:04:13.826Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json b/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json
index 983f96a070..8ae2441738 100644
--- a/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json
+++ b/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--69007443-7840-4b17-9126-099e51fdf5bf",
+ "id": "bundle--3a91ac62-6687-44ea-b79b-fdc2353b2e97",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.228Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:14.030Z",
"description": "If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b21e0340-976d-44b2-94ae-f777199993c6.json b/ics-attack/relationship/relationship--b21e0340-976d-44b2-94ae-f777199993c6.json
index ce2f9b1214..9ded02fd0c 100644
--- a/ics-attack/relationship/relationship--b21e0340-976d-44b2-94ae-f777199993c6.json
+++ b/ics-attack/relationship/relationship--b21e0340-976d-44b2-94ae-f777199993c6.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--17e4c616-4e68-4b3a-b322-e6135fd938ef",
+ "id": "bundle--b64a6a5d-ae6b-4993-be8b-4fe6290fffa6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b21e0340-976d-44b2-94ae-f777199993c6",
"created": "2023-09-28T19:39:00.326Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:39:00.326Z",
+ "modified": "2025-04-16T23:04:14.229Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json b/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json
index b507047186..971d21393e 100644
--- a/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json
+++ b/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5deae28a-2be4-4018-b5e9-4ef350ecdf8c",
+ "id": "bundle--4e0528dd-6ac8-4236-9142-86d45509d87c",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:55:06.661Z",
+ "modified": "2025-04-16T23:04:14.424Z",
"description": "[KillDisk](https://attack.mitre.org/software/S0607) is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. (Citation: Anton Cherepanov)",
"relationship_type": "uses",
"source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6",
"target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b259c196-2a23-4173-9ed5-aae1c948579e.json b/ics-attack/relationship/relationship--b259c196-2a23-4173-9ed5-aae1c948579e.json
index b50a3ee06f..6965bf348b 100644
--- a/ics-attack/relationship/relationship--b259c196-2a23-4173-9ed5-aae1c948579e.json
+++ b/ics-attack/relationship/relationship--b259c196-2a23-4173-9ed5-aae1c948579e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--19b0dcc3-f558-4e6b-85ac-7f89e07cf20c",
+ "id": "bundle--4901d0ff-e241-4ffd-ae23-8de12f8b5422",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-28T18:40:48.243Z",
+ "modified": "2025-04-16T23:04:14.627Z",
"description": "Monitor for unusual processes execution, especially for processes that allow the proxy execution of malicious files.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json b/ics-attack/relationship/relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json
index 460efeff90..2e3058ea3a 100644
--- a/ics-attack/relationship/relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json
+++ b/ics-attack/relationship/relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9881cc00-e7c0-40d3-be56-db0519c80630",
+ "id": "bundle--f03d3dbf-e23e-4be0-a1e6-53ec6d0e4c78",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a",
"created": "2023-09-28T21:10:50.480Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:10:50.480Z",
+ "modified": "2025-04-16T23:04:14.850Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json b/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json
index 98811e7b6a..8fbcb57392 100644
--- a/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json
+++ b/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--81eebdf0-5856-4b4c-b94c-a1e40ca619b9",
+ "id": "bundle--51ae4455-63ec-45ac-9e4a-0669e15922e1",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.192Z",
- "relationship_type": "mitigates",
- "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n",
- "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a",
- "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "D. Parsons and D. Wylie September 2019",
@@ -43,9 +35,16 @@
"url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:15.061Z",
+ "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a",
+ "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json b/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json
index 9100ad4489..7d4d019d80 100644
--- a/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json
+++ b/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--b051e0e7-69f3-4791-ab4b-7f169d8a6246",
+ "id": "bundle--b48f78c7-d0d8-4203-b005-171558cf0311",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.239Z",
- "relationship_type": "mitigates",
- "description": "Techniques can include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n",
- "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e",
- "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "DHS National Urban Security Technology Laboratory April 2019",
@@ -23,9 +15,16 @@
"url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:15.268Z",
+ "description": "Techniques can include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e",
+ "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f.json b/ics-attack/relationship/relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f.json
index 62c85b4349..52a3fd6562 100644
--- a/ics-attack/relationship/relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f.json
+++ b/ics-attack/relationship/relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--047652cb-3afb-4f1f-9181-58a689818292",
+ "id": "bundle--6339c178-37f1-410e-9117-2e3b614dd60d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f",
"created": "2023-09-29T17:42:11.005Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:42:11.005Z",
+ "modified": "2025-04-16T23:04:15.471Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b33f2abc-a218-425b-9a90-b75445b7e142.json b/ics-attack/relationship/relationship--b33f2abc-a218-425b-9a90-b75445b7e142.json
index 77e39042b8..32a6802608 100644
--- a/ics-attack/relationship/relationship--b33f2abc-a218-425b-9a90-b75445b7e142.json
+++ b/ics-attack/relationship/relationship--b33f2abc-a218-425b-9a90-b75445b7e142.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0afb579e-a02a-434e-ab6b-1f06104303ac",
+ "id": "bundle--36dc9bfa-300e-4e06-88f1-f49108a1676c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b33f2abc-a218-425b-9a90-b75445b7e142",
"created": "2023-09-29T18:05:51.795Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:05:51.795Z",
+ "modified": "2025-04-16T23:04:15.729Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json b/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json
index def4d1c34e..1358762725 100644
--- a/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json
+++ b/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c4647a97-781b-4f25-af6f-280ad5ab98d0",
+ "id": "bundle--b43c3214-dff5-4bb1-b118-fa066fbcd0a0",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:06:51.429Z",
+ "modified": "2025-04-16T23:04:15.914Z",
"description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) targeted several ICS vendors and manufacturers. (Citation: Dragos Threat Intelligence August 2019)",
"relationship_type": "uses",
"source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4",
"target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json b/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json
index 9372c9d3f6..92de2b8e98 100644
--- a/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json
+++ b/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cb1fe9d1-8c8b-4f8b-9cef-db8c2c930728",
+ "id": "bundle--b8cfe2c5-87eb-4d36-b452-ac5a2ee8f6da",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.444Z",
+ "modified": "2025-04-16T23:04:16.120Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to upload programs from Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can obtain existing program logic from Omron PLCs by using either the program upload or backup functions available through the HTTP server.(Citation: Wylie-22) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json b/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json
index 48141d6d29..e114eab40d 100644
--- a/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json
+++ b/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json
@@ -1,50 +1,50 @@
{
"type": "bundle",
- "id": "bundle--e991298c-0fc9-45fd-848d-65ab3a443af2",
+ "id": "bundle--4c210600-9718-432e-ba2c-6f6a96db29d5",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa",
"type": "relationship",
+ "id": "relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa",
"created": "2017-05-31T21:33:27.070Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
- "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html",
+ "source_name": "iSIGHT Sandworm 2014",
"description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.",
- "source_name": "iSIGHT Sandworm 2014"
+ "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"
},
{
- "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf",
+ "source_name": "F-Secure BlackEnergy 2014",
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
- "source_name": "F-Secure BlackEnergy 2014"
+ "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"
},
{
"source_name": "US District Court Indictment GRU Unit 74455 October 2020",
- "url": "https://www.justice.gov/opa/press-release/file/1328521/download",
- "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."
+ "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.",
+ "url": "https://www.justice.gov/opa/press-release/file/1328521/download"
},
{
"source_name": "UK NCSC Olympic Attacks October 2020",
- "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games",
- "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."
+ "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.",
+ "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games"
},
{
"source_name": "Secureworks IRON VIKING ",
- "url": "https://www.secureworks.com/research/threat-profiles/iron-viking",
- "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."
+ "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.",
+ "url": "https://www.secureworks.com/research/threat-profiles/iron-viking"
}
],
- "modified": "2022-02-28T17:02:50.401Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T22:40:57.405Z",
"description": "(Citation: iSIGHT Sandworm 2014)(Citation: F-Secure BlackEnergy 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )",
"relationship_type": "uses",
"source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
"target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
- "x_mitre_version": "1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b352884f-2a60-41c6-b348-0bbb5859802a.json b/ics-attack/relationship/relationship--b352884f-2a60-41c6-b348-0bbb5859802a.json
index efb9dada71..aabad7bdfe 100644
--- a/ics-attack/relationship/relationship--b352884f-2a60-41c6-b348-0bbb5859802a.json
+++ b/ics-attack/relationship/relationship--b352884f-2a60-41c6-b348-0bbb5859802a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--15697105-7659-437c-b7cc-adbd9637fb4c",
+ "id": "bundle--cc0c105f-8bc1-4edf-b337-254beaa050d2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b352884f-2a60-41c6-b348-0bbb5859802a",
"created": "2023-09-28T20:01:52.459Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:01:52.459Z",
+ "modified": "2025-04-16T23:04:16.436Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json b/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json
index d06c6cf8dc..db4e68c161 100644
--- a/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json
+++ b/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--13d14b77-22f9-4c48-90cc-10bb246d67cd",
+ "id": "bundle--84b791cc-d630-4c95-a646-e709d91eb997",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.236Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:16.649Z",
"description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a",
"target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b37844c1-0338-44f6-9116-48fa0f079913.json b/ics-attack/relationship/relationship--b37844c1-0338-44f6-9116-48fa0f079913.json
index 78c8a7128c..c28db98a19 100644
--- a/ics-attack/relationship/relationship--b37844c1-0338-44f6-9116-48fa0f079913.json
+++ b/ics-attack/relationship/relationship--b37844c1-0338-44f6-9116-48fa0f079913.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--099223ec-452f-4136-a1b7-41f04cd94143",
+ "id": "bundle--5f42733f-7d04-4514-b22f-de5e2c30da2c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b37844c1-0338-44f6-9116-48fa0f079913",
"created": "2023-09-29T17:41:11.611Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:41:11.611Z",
+ "modified": "2025-04-16T23:04:16.850Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json b/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json
index 3d5f45b0bf..9c85b4da5d 100644
--- a/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json
+++ b/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0d30686e-0a73-4193-b705-ac04fabda5e6",
+ "id": "bundle--2ac45e21-0a53-4048-adb8-34caba193c1e",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:07:07.445Z",
+ "modified": "2025-04-16T23:04:17.043Z",
"description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilizes watering hole websites to target industrial employees. (Citation: Chris Bing May 2018)",
"relationship_type": "uses",
"source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2.json b/ics-attack/relationship/relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2.json
index ba766faa0c..d1c81a3a69 100644
--- a/ics-attack/relationship/relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2.json
+++ b/ics-attack/relationship/relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a357fe0f-ae5c-4a5a-9ae3-46ca7091d4f7",
+ "id": "bundle--0f9f295b-c18e-4ac0-9439-968d039951c9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2",
"created": "2023-09-28T19:48:58.160Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:48:58.160Z",
+ "modified": "2025-04-16T23:04:17.270Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json b/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json
index 8d85c58270..a52b37e5d6 100644
--- a/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json
+++ b/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--a1fe3bfc-5408-4c55-82f3-386edbc98db0",
+ "id": "bundle--a8f897e5-c1c9-4e86-abd1-996f58b700ea",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--b3b24837-83ed-46c5-ba80-66a832c7072e",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--b3b24837-83ed-46c5-ba80-66a832c7072e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.062Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:17.458Z",
"description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json b/ics-attack/relationship/relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json
index 42f70b5694..8ac9ac69ca 100644
--- a/ics-attack/relationship/relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json
+++ b/ics-attack/relationship/relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--417ee943-af04-48ae-a6da-2d1be0f0827d",
+ "id": "bundle--4c4c8c51-1b91-470a-8b4d-702cb7dfc59a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T17:00:06.347Z",
+ "modified": "2025-04-16T23:04:17.660Z",
"description": "Monitor ICS management protocols for parameter changes, including for unexpected values, changes far exceeding standard values, or for parameters being changed in an unexpected way (e.g., via a new function, at an unusual time).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08.json b/ics-attack/relationship/relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08.json
index 2f2abc7a63..a6fc5fbfa4 100644
--- a/ics-attack/relationship/relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08.json
+++ b/ics-attack/relationship/relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--da0984dd-f4c5-4d5d-9a64-e6a364ba37b0",
+ "id": "bundle--f7d5a226-a2aa-46a6-9ee8-c578fab9bdbb",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08",
"created": "2023-09-28T20:02:20.170Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:02:20.170Z",
+ "modified": "2025-04-16T23:04:17.889Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json b/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json
index 18b39c93d5..d333af2a6a 100644
--- a/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json
+++ b/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--119acf82-ffe0-41e5-b66a-09f633f0fb69",
+ "id": "bundle--edf74fea-b14a-451c-a710-3beabef215de",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:55:23.573Z",
+ "modified": "2025-04-16T23:04:18.084Z",
"description": "[KillDisk](https://attack.mitre.org/software/S0607) looks for and terminates two non-standard processes, one of which is an ICS application. (Citation: Anton Cherepanov)",
"relationship_type": "uses",
"source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6",
"target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json b/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json
index 609b534ccb..6e1656abe8 100644
--- a/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json
+++ b/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1ecbf3eb-95db-4b20-80e2-b0c028e9a5f7",
+ "id": "bundle--9a31a311-20cc-44dd-9be6-1f45ae1f813b",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T14:34:42.612Z",
+ "modified": "2025-04-16T23:04:18.309Z",
"description": "Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json b/ics-attack/relationship/relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json
index a2bc25e617..28b54ee058 100644
--- a/ics-attack/relationship/relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json
+++ b/ics-attack/relationship/relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--eebd47bc-3344-4c67-b34f-cc8fb62508fe",
+ "id": "bundle--3a01bca6-6f6e-413b-8741-2bdfe3f49f03",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3",
"created": "2023-03-30T18:59:30.677Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T18:59:30.677Z",
+ "modified": "2025-04-16T23:04:18.517Z",
"description": "Develop and publish policies that define acceptable information to be stored on local systems.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba",
"target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b48be9f9-de0e-4548-ade3-09d47af52798.json b/ics-attack/relationship/relationship--b48be9f9-de0e-4548-ade3-09d47af52798.json
index 6e0da9d46c..de108df54a 100644
--- a/ics-attack/relationship/relationship--b48be9f9-de0e-4548-ade3-09d47af52798.json
+++ b/ics-attack/relationship/relationship--b48be9f9-de0e-4548-ade3-09d47af52798.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--632788a2-952d-4909-b045-22193aba74b2",
+ "id": "bundle--3518bdfa-f2d3-4f1a-a1fc-32b1ba3616e0",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:03:58.153Z",
+ "modified": "2025-04-16T23:04:18.721Z",
"description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if command messages are blocked.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
"target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3.json b/ics-attack/relationship/relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3.json
index ad5c4ca575..a0182ba1ed 100644
--- a/ics-attack/relationship/relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3.json
+++ b/ics-attack/relationship/relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3.json
@@ -1,18 +1,19 @@
{
"type": "bundle",
- "id": "bundle--67d4561f-6d87-4d12-b704-9f437f31a1b9",
+ "id": "bundle--6ba298a1-b2cf-4bd2-855a-144d9524c708",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3",
"created": "2022-09-27T17:37:02.670Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "Nzyme Alerts Intro",
- "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.",
- "url": "https://www.nzyme.org/docs/alerts/intro"
+ "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved November 17, 2024.",
+ "url": "https://docs.nzyme.org/wifi/monitoring/network-monitoring/"
},
{
"source_name": "Wireless Intrusion Detection",
@@ -23,16 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T17:37:02.670Z",
+ "modified": "2025-04-16T23:04:18.927Z",
"description": "Purely passive network sniffing cannot be detected effectively. In cases where the adversary interacts with the wireless network (e.g., joining a Wi-Fi network) detection may be possible. Monitor for new or irregular network traffic flows which may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa.json b/ics-attack/relationship/relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa.json
index 4c6e69887d..550f488184 100644
--- a/ics-attack/relationship/relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa.json
+++ b/ics-attack/relationship/relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c2a3b0a0-66b6-4c65-857a-d2d9c6511404",
+ "id": "bundle--d294730e-6771-43b1-98a1-1997ffc09bb9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa",
"created": "2023-09-29T17:45:55.581Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:45:55.581Z",
+ "modified": "2025-04-16T23:04:19.116Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json b/ics-attack/relationship/relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json
index ef02192a50..f387723606 100644
--- a/ics-attack/relationship/relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json
+++ b/ics-attack/relationship/relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--696f8b53-aaa5-48ab-a279-34f156d76cb0",
+ "id": "bundle--4fff0a85-56bb-4750-8eca-5c95557e3c4e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1",
"created": "2023-03-10T20:10:23.377Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-10T20:10:23.377Z",
+ "modified": "2025-04-16T23:04:19.310Z",
"description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary falsified network addresses in order to send false data and instructions to pumping stations.(Citation: Marshall Abrams July 2008)",
"relationship_type": "uses",
"source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b5979643-fefb-460f-b59c-971efe95f121.json b/ics-attack/relationship/relationship--b5979643-fefb-460f-b59c-971efe95f121.json
index f018ffaa27..563b03ef7c 100644
--- a/ics-attack/relationship/relationship--b5979643-fefb-460f-b59c-971efe95f121.json
+++ b/ics-attack/relationship/relationship--b5979643-fefb-460f-b59c-971efe95f121.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b01d6496-55d0-4e5d-845a-f80e5ff4903e",
+ "id": "bundle--eeb13217-ffdd-4e02-8ef3-c8f69fb00f45",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:42:28.408Z",
+ "modified": "2025-04-16T23:04:19.508Z",
"description": "Monitor for changes made to services that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b59a96e4-bd70-4459-9609-66563bccd9c3.json b/ics-attack/relationship/relationship--b59a96e4-bd70-4459-9609-66563bccd9c3.json
index 42d1594709..46b10527de 100644
--- a/ics-attack/relationship/relationship--b59a96e4-bd70-4459-9609-66563bccd9c3.json
+++ b/ics-attack/relationship/relationship--b59a96e4-bd70-4459-9609-66563bccd9c3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2849dd25-7888-4361-b1e3-0c0d6d01665e",
+ "id": "bundle--3b4347ea-8a33-499f-8f2b-5f32b71aaf61",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b59a96e4-bd70-4459-9609-66563bccd9c3",
"created": "2023-09-29T16:38:21.688Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:38:21.688Z",
+ "modified": "2025-04-16T23:04:19.725Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json b/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json
index 5d9072ab81..ad71b7d15c 100644
--- a/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json
+++ b/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ec4cd201-b916-4523-a4c6-5405d40cdfde",
+ "id": "bundle--3b9ac631-06b6-41cc-b50f-1e2f521f0a6e",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:57:06.704Z",
+ "modified": "2025-04-16T23:04:19.939Z",
"description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of control which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)",
"relationship_type": "uses",
"source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48",
"target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json b/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json
index 72cdbf30d5..cc6d07dff3 100644
--- a/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json
+++ b/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--774e3f83-605f-4b05-9d39-d2cc5bbe7ac2",
+ "id": "bundle--62fe8305-c011-4e51-844b-3cb6c0101914",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.143Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:20.134Z",
"description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433",
"target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json b/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json
index 87b8035b5f..08b84099fa 100644
--- a/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json
+++ b/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--4b8611a3-9261-4da2-8338-4bbeae8feb66",
+ "id": "bundle--649bbf9a-b623-4725-86c0-621d76e4bc3f",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.200Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:20.378Z",
"description": "Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433",
"target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json b/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json
index 23e7b7728a..e80d479dcc 100644
--- a/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json
+++ b/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--8db935f4-b32a-438f-9bc6-c8442ec016bd",
+ "id": "bundle--1b2c806f-1c41-4502-80c2-ffb7a9fa3b3d",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--b628d878-4f35-4580-8d42-26984d13821e",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--b628d878-4f35-4580-8d42-26984d13821e",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.143Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:20.585Z",
"description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b6309476-8268-4c47-920b-8a556cd8ae4c.json b/ics-attack/relationship/relationship--b6309476-8268-4c47-920b-8a556cd8ae4c.json
index 8d95d830f6..5549a8a672 100644
--- a/ics-attack/relationship/relationship--b6309476-8268-4c47-920b-8a556cd8ae4c.json
+++ b/ics-attack/relationship/relationship--b6309476-8268-4c47-920b-8a556cd8ae4c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--94a66b2e-ecab-40d8-a770-71e4dce50413",
+ "id": "bundle--4dd29e60-7536-423d-9f3e-fedbf308f124",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b6309476-8268-4c47-920b-8a556cd8ae4c",
"created": "2023-09-29T18:47:07.359Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:47:07.359Z",
+ "modified": "2025-04-16T23:04:20.814Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b69905bd-6865-4092-9543-47bd9ae318ec.json b/ics-attack/relationship/relationship--b69905bd-6865-4092-9543-47bd9ae318ec.json
index 3c066e4f88..15851d9b7c 100644
--- a/ics-attack/relationship/relationship--b69905bd-6865-4092-9543-47bd9ae318ec.json
+++ b/ics-attack/relationship/relationship--b69905bd-6865-4092-9543-47bd9ae318ec.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7677fa41-1378-4159-8b5f-967ed1a2283c",
+ "id": "bundle--5030ff6e-510e-468d-8a58-a44eef488510",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b69905bd-6865-4092-9543-47bd9ae318ec",
"created": "2023-09-28T19:54:22.618Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:54:22.618Z",
+ "modified": "2025-04-16T23:04:20.999Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json b/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json
index f0bc71729d..1b4bb67931 100644
--- a/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json
+++ b/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--5eddbaaa-4d4b-41b0-81a9-62b886d45081",
+ "id": "bundle--1f2303f9-4cb1-44a5-b385-cc34cd1a95f7",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.232Z",
- "relationship_type": "mitigates",
- "description": "Ensure that applications and devices do not store sensitive data or credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). (Citation: CISA June 2013)\n",
- "source_ref": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7",
- "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "CISA June 2013",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:21.189Z",
+ "description": "Ensure that applications and devices do not store sensitive data or credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). (Citation: CISA June 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7",
+ "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b7284360-0d80-45bb-8486-263ae8f8fa63.json b/ics-attack/relationship/relationship--b7284360-0d80-45bb-8486-263ae8f8fa63.json
index a528bcda24..bf193d22a5 100644
--- a/ics-attack/relationship/relationship--b7284360-0d80-45bb-8486-263ae8f8fa63.json
+++ b/ics-attack/relationship/relationship--b7284360-0d80-45bb-8486-263ae8f8fa63.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--551c2e52-971e-4123-abdd-565cc4ebc9ae",
+ "id": "bundle--5a812d5d-b1ca-4181-9be3-96572c67690b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b7284360-0d80-45bb-8486-263ae8f8fa63",
"created": "2023-09-28T21:26:01.106Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:26:01.106Z",
+ "modified": "2025-04-16T23:04:21.421Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json b/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json
index 07ae1a489f..5171ca5913 100644
--- a/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json
+++ b/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--21f1b7b5-6dc7-49a3-bba9-f51597a6fdf1",
+ "id": "bundle--c69704ee-3c0a-46a8-ac7c-6941964a8d56",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.128Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:21.649Z",
"description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
"target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b7344dfb-621b-4558-ab22-6c1f256ee746.json b/ics-attack/relationship/relationship--b7344dfb-621b-4558-ab22-6c1f256ee746.json
index 0a0e2ebbf7..2a93f53ee9 100644
--- a/ics-attack/relationship/relationship--b7344dfb-621b-4558-ab22-6c1f256ee746.json
+++ b/ics-attack/relationship/relationship--b7344dfb-621b-4558-ab22-6c1f256ee746.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--01996a7b-1166-4242-91db-5c4f48bda98c",
+ "id": "bundle--0533b7ab-7fb4-4ab4-a1bc-607bb36003a2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b7344dfb-621b-4558-ab22-6c1f256ee746",
"created": "2023-09-29T16:46:27.408Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:46:27.408Z",
+ "modified": "2025-04-16T23:04:21.886Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json b/ics-attack/relationship/relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json
index 89fdb5ed67..4e79bc55e3 100644
--- a/ics-attack/relationship/relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json
+++ b/ics-attack/relationship/relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--fb22e957-dea8-41d4-a27f-866557bda908",
+ "id": "bundle--d3d634f5-caa1-42c4-9994-892f765aa0b1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2",
"created": "2023-09-29T18:57:10.064Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:57:10.064Z",
+ "modified": "2025-04-16T23:04:22.081Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json b/ics-attack/relationship/relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json
index ede9190741..c794bbceb3 100644
--- a/ics-attack/relationship/relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json
+++ b/ics-attack/relationship/relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--53cf3eff-6e4c-4d66-b204-3378d2f5526c",
+ "id": "bundle--9288ca00-f5d1-4ce4-b52c-34c30e89fb5c",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T20:51:43.487Z",
+ "modified": "2025-04-16T23:04:22.281Z",
"description": "Monitor for unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586.json b/ics-attack/relationship/relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586.json
index 894179f925..f9dbf88ae2 100644
--- a/ics-attack/relationship/relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586.json
+++ b/ics-attack/relationship/relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5c59e789-3fa7-4eb6-a153-06a62d2d1492",
+ "id": "bundle--3025f337-9185-4b42-ab3b-df1c4be84389",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586",
"created": "2023-09-28T19:51:42.728Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:51:42.728Z",
+ "modified": "2025-04-16T23:04:22.505Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json b/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json
index 646f7b0280..a295c9a69a 100644
--- a/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json
+++ b/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--1ee2a409-17cc-44f9-8ebc-88fe96487be4",
+ "id": "bundle--f4fe8e22-a331-42c0-b1b4-8970bf05d368",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--b7f23af2-e948-4531-af56-1a1b4d03702f",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--b7f23af2-e948-4531-af56-1a1b4d03702f",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.172Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:22.734Z",
"description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json b/ics-attack/relationship/relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json
index 0ae053c97e..f7cddcb2ec 100644
--- a/ics-attack/relationship/relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json
+++ b/ics-attack/relationship/relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e69ceca6-148a-4469-8b7a-f3a6fa4336d4",
+ "id": "bundle--0e22acdd-f792-467b-9742-04ca81676d7e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e",
"created": "2023-09-29T18:42:53.573Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:42:53.573Z",
+ "modified": "2025-04-16T23:04:22.938Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b8b1739d-dfa2-44e9-907f-7085e262512f.json b/ics-attack/relationship/relationship--b8b1739d-dfa2-44e9-907f-7085e262512f.json
index 6752015e80..3867730ae1 100644
--- a/ics-attack/relationship/relationship--b8b1739d-dfa2-44e9-907f-7085e262512f.json
+++ b/ics-attack/relationship/relationship--b8b1739d-dfa2-44e9-907f-7085e262512f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0dde81e9-baa7-4aec-9b57-5952267672f5",
+ "id": "bundle--ddf0ec29-5812-403d-9100-47b1984b0e88",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T19:01:52.517Z",
+ "modified": "2025-04-16T23:04:23.123Z",
"description": "Monitor login sessions for new or unexpected devices or sessions on wireless networks.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5",
"target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290.json b/ics-attack/relationship/relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290.json
index 7fa226f6d9..74939af3ff 100644
--- a/ics-attack/relationship/relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290.json
+++ b/ics-attack/relationship/relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d8871aa2-c4ed-49e6-a7d4-02a339e76095",
+ "id": "bundle--c492cc2e-c415-424a-96b5-88f8ebf415c3",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:45:17.457Z",
+ "modified": "2025-04-16T23:04:23.331Z",
"description": "Monitor for network traffic originating from unknown/unexpected systems.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json b/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json
index 995a087ea8..5d5eb1367f 100644
--- a/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json
+++ b/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--41f035f0-1f55-4385-83d3-0fd7644e226c",
+ "id": "bundle--c07fe0ce-e773-49e7-96fa-3d329638cc22",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-19T21:23:11.538Z",
+ "modified": "2025-04-16T23:04:23.566Z",
"description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a",
"target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json b/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json
index 88a57c4ea1..d00d305529 100644
--- a/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json
+++ b/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--3de9be6f-bcb2-4e4e-9f85-988aa02059ed",
+ "id": "bundle--9feb8322-bda1-47e8-a671-2ab950ab9273",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd",
+ "created": "2021-10-14T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2021-10-14T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.226Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:23.767Z",
"description": "Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e",
"target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json b/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json
index 2f2200334e..0d5dfcec69 100644
--- a/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json
+++ b/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--bac7cd25-0ee1-448a-8aa8-1230e4e5ff14",
+ "id": "bundle--1c03e952-9ea2-4407-99d0-663c3f8154d8",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.097Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:23.961Z",
"description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
"target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json b/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json
index d49b391e99..5a2c203762 100644
--- a/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json
+++ b/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--6803e69e-2e0d-4623-9eb0-ad3051bafa59",
+ "id": "bundle--f4e75149-92ca-4284-bb4f-f9ea16f417af",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.222Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:24.167Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json b/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json
index 68f0b5f1a2..4bf14e9730 100644
--- a/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json
+++ b/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--421c8edf-51fc-4fbf-8fd2-647127956eaf",
+ "id": "bundle--88176c06-cef2-4e6d-8e53-72aa8d24bc00",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.091Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:24.380Z",
"description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48",
"target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json b/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json
index 24015df07f..c3e9cb47e0 100644
--- a/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json
+++ b/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--9e3a8cdc-0029-4815-aedb-639e26ff3b31",
+ "id": "bundle--eb160dde-2766-444e-a6c3-b73db2fa6026",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--b9e82422-b072-494f-99c1-fcab07b90133",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--b9e82422-b072-494f-99c1-fcab07b90133",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.146Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:24.573Z",
"description": "Require signed binaries.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json b/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json
index 625e73d2db..fd5a673433 100644
--- a/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json
+++ b/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--ecdeabc1-a562-4fdb-86f8-cf53e0626a20",
+ "id": "bundle--9535f548-cc84-4d3d-9071-5356672c2803",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.091Z",
- "relationship_type": "mitigates",
- "description": "Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n",
- "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
- "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "National Institute of Standards and Technology April 2013",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:24.803Z",
+ "description": "Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
+ "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c.json b/ics-attack/relationship/relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c.json
index 6ddbf3e52e..855da08946 100644
--- a/ics-attack/relationship/relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c.json
+++ b/ics-attack/relationship/relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--70b56719-880e-4a9d-95d0-73049a790bc7",
+ "id": "bundle--248fe61d-0e26-41ad-98b2-e95f15976eec",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c",
"created": "2023-09-28T21:28:36.325Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:28:36.325Z",
+ "modified": "2025-04-16T23:04:25.010Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json b/ics-attack/relationship/relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json
index d19cac79f2..e07d90f3ab 100644
--- a/ics-attack/relationship/relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json
+++ b/ics-attack/relationship/relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--33916487-3257-4332-9159-d21859175868",
+ "id": "bundle--32649fcb-e2d8-477f-a990-4eed3841b32f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a",
"created": "2023-09-28T20:03:54.209Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:03:54.209Z",
+ "modified": "2025-04-16T23:04:25.206Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7.json b/ics-attack/relationship/relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7.json
index 2406d62afe..6f9c54c40c 100644
--- a/ics-attack/relationship/relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7.json
+++ b/ics-attack/relationship/relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a66aa601-3355-4371-842f-4b8c6be025db",
+ "id": "bundle--6bd09544-de62-45f4-b56f-e9b1c97270a0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7",
"created": "2023-09-29T18:49:34.208Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:49:34.208Z",
+ "modified": "2025-04-16T23:04:25.429Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341.json b/ics-attack/relationship/relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341.json
index 2301cec148..c619380c47 100644
--- a/ics-attack/relationship/relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341.json
+++ b/ics-attack/relationship/relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f0bfac69-74c6-4d4a-b4c4-b02b1b144510",
+ "id": "bundle--7f1b5914-6374-421e-8ecd-353424eebed9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341",
"created": "2024-03-25T20:17:36.433Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-25T20:17:36.433Z",
+ "modified": "2025-04-16T23:04:25.662Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json b/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json
index a3943d1a45..2e879dc9a4 100644
--- a/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json
+++ b/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--265afb66-1513-4f48-b32e-1e8799862f27",
+ "id": "bundle--fea22a1f-7702-4d39-a4d3-9926671cb940",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--baf4bd30-4213-43c3-b70c-54418e734caf",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--baf4bd30-4213-43c3-b70c-54418e734caf",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.184Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:25.877Z",
"description": "Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json b/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json
index d2cb727cb9..58fe6e6089 100644
--- a/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json
+++ b/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--5cf5b33c-f4d9-4794-9712-d1b19ddcc52a",
+ "id": "bundle--fbbb6c3a-7f21-4aa0-96f6-ac378ba6711d",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--baf7daf3-2116-4051-91b5-f82e146167d0",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--baf7daf3-2116-4051-91b5-f82e146167d0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.235Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:26.100Z",
"description": "Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259.json b/ics-attack/relationship/relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259.json
index 03dde5ee02..78fa53263c 100644
--- a/ics-attack/relationship/relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259.json
+++ b/ics-attack/relationship/relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--78a81a9a-aa7a-4b81-bcb3-0b0c09205db3",
+ "id": "bundle--bad0128f-4177-4dc9-a53a-e71e1db89d7a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259",
"created": "2023-09-29T16:45:08.209Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:45:08.209Z",
+ "modified": "2025-04-16T23:04:26.310Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json b/ics-attack/relationship/relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json
index adda58cb7e..ea591f2485 100644
--- a/ics-attack/relationship/relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json
+++ b/ics-attack/relationship/relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a7d2b272-8170-47fa-ad0e-8424d6fcf965",
+ "id": "bundle--b9275a80-0815-465c-b827-140f8144467a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc",
"created": "2023-09-28T19:53:44.848Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:53:44.848Z",
+ "modified": "2025-04-16T23:04:26.525Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json b/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json
index ae12f01a42..da464008ed 100644
--- a/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json
+++ b/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--9e8f5465-11b4-49b9-a995-52529bcc17ec",
+ "id": "bundle--742d5ca8-cabf-4d89-8b15-ef73a9277ff8",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.222Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:26.729Z",
"description": "Devices should authenticate all messages between master and outstation assets.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json b/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json
index 76774dd6cc..b526c5c6a4 100644
--- a/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json
+++ b/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--f6a87752-4abf-4437-8e01-b35a72a30f2f",
+ "id": "bundle--0d88565f-d718-4fca-ae4a-1a0f67b91052",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.112Z",
- "relationship_type": "mitigates",
- "description": "Use least privilege for service accounts. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n",
- "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
- "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Keith Stouffer May 2015",
@@ -28,9 +20,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:26.965Z",
+ "description": "Use least privilege for service accounts. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
+ "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json b/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json
index 19b8e0da60..f14bec4014 100644
--- a/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json
+++ b/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6f24753c-85a9-451b-b7dd-43523017bf85",
+ "id": "bundle--24e8d277-8a67-4be3-87fa-b971c4ca8b74",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:15:38.341Z",
+ "modified": "2025-04-16T23:04:27.159Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a thread to monitor a data block DB890 of sequence A or B. This thread is constantly running and probing this block (every 5 minutes). On an infected PLC, if block DB890 is found and contains a special magic value (used by Stuxnet to identify his own block DB890), this blocks data can be read and written. This thread is likely used to optimize the way sequences A and B work, and modify their behavior when the Step7 editor is opened. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json b/ics-attack/relationship/relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json
index 98b0abb431..f76f9fa69b 100644
--- a/ics-attack/relationship/relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json
+++ b/ics-attack/relationship/relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b8a4fe83-e591-4ad9-a7d7-48a632e10fd2",
+ "id": "bundle--e57b28f5-ea3a-4549-8351-ecd433642141",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9",
"created": "2023-09-28T21:22:21.776Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:22:21.776Z",
+ "modified": "2025-04-16T23:04:27.370Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json b/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json
index cb3afec101..8d08b34134 100644
--- a/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json
+++ b/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--9555c811-f70c-4bc2-9332-1da11365194b",
+ "id": "bundle--ac090631-861b-4df7-b0d8-302cdfecdbda",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.218Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:27.561Z",
"description": "Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5",
"target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json b/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json
index 6a6f232004..a9a88e2e25 100644
--- a/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json
+++ b/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4c1654ee-2d1a-4da1-951a-4d3b33668416",
+ "id": "bundle--4333f41b-6c33-4604-aa1c-2514409df298",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T13:49:50.583Z",
+ "modified": "2025-04-16T23:04:27.786Z",
"description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json b/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json
index e75d6a7876..6c18a1b42a 100644
--- a/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json
+++ b/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eeca9405-3ffd-4ea8-9819-0dd5def7e47d",
+ "id": "bundle--2efdff17-8c71-4b08-a133-b5c3d2e8de04",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:16:10.677Z",
+ "modified": "2025-04-16T23:04:27.985Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json b/ics-attack/relationship/relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json
index 2b2dac8e76..f016b37d3b 100644
--- a/ics-attack/relationship/relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json
+++ b/ics-attack/relationship/relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f51d3815-2cf5-4876-bb1d-2035f4530482",
+ "id": "bundle--ff490dfb-464e-4c9f-978e-d2fd547bcb21",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a",
"created": "2023-09-28T21:16:24.310Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:16:24.310Z",
+ "modified": "2025-04-16T23:04:28.188Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bd869385-5778-4303-8993-cc6412d12303.json b/ics-attack/relationship/relationship--bd869385-5778-4303-8993-cc6412d12303.json
index cf8cda5b11..3e214b0328 100644
--- a/ics-attack/relationship/relationship--bd869385-5778-4303-8993-cc6412d12303.json
+++ b/ics-attack/relationship/relationship--bd869385-5778-4303-8993-cc6412d12303.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--349cafa6-614a-412e-a978-52b97710a7ae",
+ "id": "bundle--4aeffee3-c0e1-40e6-9c17-3c58bb877c29",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--bd869385-5778-4303-8993-cc6412d12303",
"created": "2023-09-29T18:45:59.108Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:45:59.108Z",
+ "modified": "2025-04-16T23:04:28.405Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json b/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json
index 7219b0bcd6..63863231c4 100644
--- a/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json
+++ b/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--24e448d7-e306-4963-bae9-b4c2003fc624",
+ "id": "bundle--50520c24-3c49-4d5f-9955-0c9825d69230",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.203Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:28.592Z",
"description": "Deploy anti-virus on all systems that support external email.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json b/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json
index bba27ca06e..0d74afbb98 100644
--- a/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json
+++ b/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--5e55598c-a235-43e8-9190-8c20f7a70bdd",
+ "id": "bundle--187e20f2-03bc-43a4-a5ec-10ac46c15a0e",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.082Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:28.817Z",
"description": "Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
"target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--be0f7d83-2441-4259-b411-46e0d10566b1.json b/ics-attack/relationship/relationship--be0f7d83-2441-4259-b411-46e0d10566b1.json
index 4031b1d693..da8f51e92e 100644
--- a/ics-attack/relationship/relationship--be0f7d83-2441-4259-b411-46e0d10566b1.json
+++ b/ics-attack/relationship/relationship--be0f7d83-2441-4259-b411-46e0d10566b1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7a385aa3-6bb1-4b61-8d80-c99b60cb3d4b",
+ "id": "bundle--079fccdc-7469-4617-a8c3-2ebc07e41114",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--be0f7d83-2441-4259-b411-46e0d10566b1",
"created": "2023-10-02T20:23:24.179Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:23:24.179Z",
+ "modified": "2025-04-16T23:04:29.045Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json b/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json
index c706cd9608..faa6a1b225 100644
--- a/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json
+++ b/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--59bfd7c2-7634-4347-874d-98eae03a2a8e",
+ "id": "bundle--a346d963-c8ef-4a0b-8197-c85cfe686592",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:16:39.070Z",
+ "modified": "2025-04-16T23:04:29.267Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json b/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json
index a337a6a1db..e86ccd3791 100644
--- a/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json
+++ b/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--23770c97-23e2-4cd4-bf64-d7d29aab8917",
+ "id": "bundle--200f888d-a758-4efb-94ec-722c271fef53",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--be950e87-80ac-49ea-810a-553c7f72151b",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--be950e87-80ac-49ea-810a-553c7f72151b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.073Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:29.476Z",
"description": "Devices should authenticate all messages between master and outstation assets.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2.json b/ics-attack/relationship/relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2.json
index a1677637ae..a351239a32 100644
--- a/ics-attack/relationship/relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2.json
+++ b/ics-attack/relationship/relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--12342b5d-fe2e-4ab1-a9b3-dbd5af1bd8de",
+ "id": "bundle--24f91b01-cafa-4969-a1e1-ccc4d41c6e3c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2",
"created": "2023-09-28T20:31:17.116Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:31:17.116Z",
+ "modified": "2025-04-16T23:04:29.670Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bf0e7347-1636-4b5e-9e2a-8b93177e5f85.json b/ics-attack/relationship/relationship--bf0e7347-1636-4b5e-9e2a-8b93177e5f85.json
index 9aa91909af..992ef94dd9 100644
--- a/ics-attack/relationship/relationship--bf0e7347-1636-4b5e-9e2a-8b93177e5f85.json
+++ b/ics-attack/relationship/relationship--bf0e7347-1636-4b5e-9e2a-8b93177e5f85.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4289fa4d-2233-4f4f-9b4f-d4a4f031b77b",
+ "id": "bundle--372716b2-11e1-4e38-bfa7-340823571c77",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "FireEye TRITON 2018",
- "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.",
- "url": "https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html"
+ "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-10T15:02:15.194Z",
+ "modified": "2025-04-16T23:04:29.874Z",
"description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) used valid credentials when laterally moving through RDP jump boxes into the ICS environment.(Citation: FireEye TRITON 2018)",
"relationship_type": "uses",
"source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76.json b/ics-attack/relationship/relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76.json
index 91cf0f0e62..1ca4e8f3fb 100644
--- a/ics-attack/relationship/relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76.json
+++ b/ics-attack/relationship/relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--fda666e3-da21-40ee-b86f-7bba9383afa6",
+ "id": "bundle--77fbe816-9c18-4163-b936-73d28cb3d105",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76",
"created": "2023-09-29T16:46:12.472Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:46:12.472Z",
+ "modified": "2025-04-16T23:04:30.059Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3.json b/ics-attack/relationship/relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3.json
index 2afae9195f..d3b28823b5 100644
--- a/ics-attack/relationship/relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3.json
+++ b/ics-attack/relationship/relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ed5794f8-b5e2-4b04-9dc4-6ee1952315d4",
+ "id": "bundle--1b0f5fea-2c4d-4f0c-8b3b-1c2c6a668bbe",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:37:24.268Z",
+ "modified": "2025-04-16T23:04:30.272Z",
"description": "Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
"target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bf8e68fe-1969-48d1-be0e-ec742378748d.json b/ics-attack/relationship/relationship--bf8e68fe-1969-48d1-be0e-ec742378748d.json
index 6310775c3f..8c788a9a08 100644
--- a/ics-attack/relationship/relationship--bf8e68fe-1969-48d1-be0e-ec742378748d.json
+++ b/ics-attack/relationship/relationship--bf8e68fe-1969-48d1-be0e-ec742378748d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--437b1acd-64a5-4ac8-99ce-16bfc87c4790",
+ "id": "bundle--c66f5ac7-c80d-41bc-9d59-db9cf73bec1c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--bf8e68fe-1969-48d1-be0e-ec742378748d",
"created": "2023-09-29T18:56:34.302Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:56:34.302Z",
+ "modified": "2025-04-16T23:04:30.459Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302.json b/ics-attack/relationship/relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302.json
index f11cae860b..f260450c53 100644
--- a/ics-attack/relationship/relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302.json
+++ b/ics-attack/relationship/relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--aa353965-666e-4c26-aa30-8fe2f15e5112",
+ "id": "bundle--327c1a8e-9f82-4ece-a2f0-32cb2baad2d3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302",
"created": "2023-09-29T18:06:02.077Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:06:02.077Z",
+ "modified": "2025-04-16T23:04:30.650Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bf9f227c-e306-4257-add1-39c7c2e42040.json b/ics-attack/relationship/relationship--bf9f227c-e306-4257-add1-39c7c2e42040.json
index 3dd557cd78..a447de5d7e 100644
--- a/ics-attack/relationship/relationship--bf9f227c-e306-4257-add1-39c7c2e42040.json
+++ b/ics-attack/relationship/relationship--bf9f227c-e306-4257-add1-39c7c2e42040.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b455f69b-03e5-4468-b123-70abda989b53",
+ "id": "bundle--86efe808-9954-43fd-9411-83af93f576ea",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--bf9f227c-e306-4257-add1-39c7c2e42040",
"created": "2023-09-29T18:47:28.758Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:47:28.758Z",
+ "modified": "2025-04-16T23:04:30.863Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json b/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json
index ce9d86f323..d8f4ad0482 100644
--- a/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json
+++ b/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json
@@ -1,35 +1,35 @@
{
"type": "bundle",
- "id": "bundle--7a24a4fc-dabb-40e6-b823-1061324fa8c3",
+ "id": "bundle--a39145f7-b1bd-489d-aa3b-0b46148032bc",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1",
"type": "relationship",
+ "id": "relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1",
"created": "2020-09-22T19:41:27.951Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Secureworks REvil September 2019",
- "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware",
- "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020."
+ "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.",
+ "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware"
},
{
"source_name": "Secureworks GandCrab and REvil September 2019",
- "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection",
- "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020."
+ "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.",
+ "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection"
}
],
- "modified": "2020-09-22T19:41:27.951Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T22:44:11.710Z",
"description": "(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)",
"relationship_type": "uses",
"source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133",
"target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5",
- "x_mitre_version": "1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--bffad8de-a807-4216-9753-008a87d9d77f.json b/ics-attack/relationship/relationship--bffad8de-a807-4216-9753-008a87d9d77f.json
index 170bc070bf..5ef722dadd 100644
--- a/ics-attack/relationship/relationship--bffad8de-a807-4216-9753-008a87d9d77f.json
+++ b/ics-attack/relationship/relationship--bffad8de-a807-4216-9753-008a87d9d77f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0f9f41c0-d9c9-4e85-90a0-e690229e1079",
+ "id": "bundle--2e681a6b-024f-41be-bb00-ac61059e25f4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--bffad8de-a807-4216-9753-008a87d9d77f",
"created": "2023-09-28T19:56:40.730Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:56:40.730Z",
+ "modified": "2025-04-16T23:04:31.162Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef.json b/ics-attack/relationship/relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef.json
index bd7b99c90f..8b4f5ab276 100644
--- a/ics-attack/relationship/relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef.json
+++ b/ics-attack/relationship/relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1ea042dd-8b0f-4cc0-b91b-a78934a1f5ff",
+ "id": "bundle--217c8fa7-0ea5-4a86-b05e-0869d22cbde1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef",
"created": "2023-09-28T21:17:47.080Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:17:47.080Z",
+ "modified": "2025-04-16T23:04:31.380Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json b/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json
index 99467a4852..63dcafbbe8 100644
--- a/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json
+++ b/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--bdcaca08-4b85-4804-957a-028e0eb7d68c",
+ "id": "bundle--81f475ae-8fdd-4516-95a6-16bdb82cdbc9",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--c0efb24a-2329-401a-bba6-817f2867bb3f",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.183Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:31.571Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json b/ics-attack/relationship/relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json
index 8a0aaa7070..e899786d55 100644
--- a/ics-attack/relationship/relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json
+++ b/ics-attack/relationship/relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--20246e7f-40fb-4782-b8d6-8e94ecab9a24",
+ "id": "bundle--ab246234-17e6-41d0-89bd-f42f6df1a6e6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f",
"created": "2023-03-10T20:34:55.362Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-10T20:34:55.362Z",
+ "modified": "2025-04-16T23:04:31.814Z",
"description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary suppressed alarm reporting to the central computer.(Citation: Marshall Abrams July 2008)",
"relationship_type": "uses",
"source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json b/ics-attack/relationship/relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json
index da80607546..9d2606a55f 100644
--- a/ics-attack/relationship/relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json
+++ b/ics-attack/relationship/relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1f85ed62-ab35-4482-b0a8-4065679ec5cc",
+ "id": "bundle--f009f3ff-27ec-4333-99b4-a90d0defbde2",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:38:15.307Z",
+ "modified": "2025-04-16T23:04:32.003Z",
"description": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) The data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
"target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c137fcd2-ce51-4e17-9c2f-f1aaf9b64ce7.json b/ics-attack/relationship/relationship--c137fcd2-ce51-4e17-9c2f-f1aaf9b64ce7.json
index e9aeee89a7..19df802a15 100644
--- a/ics-attack/relationship/relationship--c137fcd2-ce51-4e17-9c2f-f1aaf9b64ce7.json
+++ b/ics-attack/relationship/relationship--c137fcd2-ce51-4e17-9c2f-f1aaf9b64ce7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9f5cf17f-2faa-48be-8633-0b743f9e5a77",
+ "id": "bundle--0c2ff8ad-595c-45a0-b706-83c7e5d9497f",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-10T15:02:24.842Z",
+ "modified": "2025-04-16T23:04:32.208Z",
"description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) made attempts on multiple victim machines to transfer and execute the WMImplant tool.(Citation: FireEye TEMP.Veles 2018)",
"relationship_type": "uses",
"source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json b/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json
index f7fbe9ef9b..23256cf86a 100644
--- a/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json
+++ b/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--35c6d155-7ecf-4c81-957d-8be212bf83ac",
+ "id": "bundle--ec75fc5b-fd92-4848-b0e5-c769e552feba",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.204Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:32.422Z",
"description": "Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2.json b/ics-attack/relationship/relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2.json
index c8a9c639f2..e4ca59c8ab 100644
--- a/ics-attack/relationship/relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2.json
+++ b/ics-attack/relationship/relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a8dc9fb6-8617-4ac5-afa1-7634f6698619",
+ "id": "bundle--24f0c3f1-6078-45c1-b1f3-4f4de82656fc",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2",
"created": "2023-09-29T18:09:02.311Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:09:02.311Z",
+ "modified": "2025-04-16T23:04:32.619Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553.json b/ics-attack/relationship/relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553.json
index b3256ae028..e74c442a55 100644
--- a/ics-attack/relationship/relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553.json
+++ b/ics-attack/relationship/relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d6efdf4b-e2a5-47c5-b74e-02b09b417196",
+ "id": "bundle--e2961ad6-cfbf-4abb-941a-786f829ff15b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553",
"created": "2023-09-29T17:09:48.178Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:09:48.178Z",
+ "modified": "2025-04-16T23:04:32.817Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5.json b/ics-attack/relationship/relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5.json
index b3130cf2c8..535b6904ce 100644
--- a/ics-attack/relationship/relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5.json
+++ b/ics-attack/relationship/relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3dbfaeec-f383-4fb3-870f-f8be6015ad22",
+ "id": "bundle--47e5579e-e45f-4476-97ef-63ec9e1c1e53",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5",
"created": "2023-09-29T16:28:39.397Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:28:39.397Z",
+ "modified": "2025-04-16T23:04:33.039Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c233df49-e450-4151-8a0f-1765faf3d75a.json b/ics-attack/relationship/relationship--c233df49-e450-4151-8a0f-1765faf3d75a.json
index 3a30b4efd0..bc53a79056 100644
--- a/ics-attack/relationship/relationship--c233df49-e450-4151-8a0f-1765faf3d75a.json
+++ b/ics-attack/relationship/relationship--c233df49-e450-4151-8a0f-1765faf3d75a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--11ace246-9640-4e83-9ae8-b1e2983ebad5",
+ "id": "bundle--416c2de9-ae99-4cb2-ab15-7972b6ae7e3b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c233df49-e450-4151-8a0f-1765faf3d75a",
"created": "2023-09-29T17:08:08.883Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:08:08.883Z",
+ "modified": "2025-04-16T23:04:33.275Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2.json b/ics-attack/relationship/relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2.json
index 2f1addccf2..a89e3e06f5 100644
--- a/ics-attack/relationship/relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2.json
+++ b/ics-attack/relationship/relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--4d99e79b-66eb-4780-ae20-be4d980e5620",
+ "id": "bundle--0bd3cf19-e9d4-470f-b852-19229deffea4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2",
"created": "2023-03-10T20:09:49.009Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-10T20:09:49.009Z",
+ "modified": "2025-04-16T23:04:33.468Z",
"description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)",
"relationship_type": "uses",
"source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json b/ics-attack/relationship/relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json
index 28599b7585..f26643bec5 100644
--- a/ics-attack/relationship/relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json
+++ b/ics-attack/relationship/relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--bb15e60b-619b-4b94-9027-ea90522c2044",
+ "id": "bundle--0c730ef9-fafd-48d3-8f18-6b7f0727556b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f",
"created": "2023-09-29T17:59:54.204Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:59:54.204Z",
+ "modified": "2025-04-16T23:04:33.667Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json b/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json
index 387035c090..4ea834a351 100644
--- a/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json
+++ b/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--651ad994-8e77-4763-a760-7e5613e8c4f3",
+ "id": "bundle--1265b5c0-de86-418c-a098-7d4575444666",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-19T21:23:21.586Z",
+ "modified": "2025-04-16T23:04:33.876Z",
"description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a",
"target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json b/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json
index 60fb692030..efa9e4d9ed 100644
--- a/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json
+++ b/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cc5814d5-02b9-4c4c-a262-8777d2ae4aa4",
+ "id": "bundle--83308e9c-a972-4d84-bc41-f285066b7d65",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:48:00.088Z",
+ "modified": "2025-04-16T23:04:34.072Z",
"description": "[EKANS](https://attack.mitre.org/software/S0605) masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. (Citation: Dragos Threat Intelligence February 2020)",
"relationship_type": "uses",
"source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c37f097a-9698-412f-9e96-4d350bcd2790.json b/ics-attack/relationship/relationship--c37f097a-9698-412f-9e96-4d350bcd2790.json
index ab975128c1..7a52c56dd6 100644
--- a/ics-attack/relationship/relationship--c37f097a-9698-412f-9e96-4d350bcd2790.json
+++ b/ics-attack/relationship/relationship--c37f097a-9698-412f-9e96-4d350bcd2790.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--de097fd8-d552-4f53-9484-244b6334e837",
+ "id": "bundle--62e0fa96-47bb-4b70-a45b-1c839cdbf911",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c37f097a-9698-412f-9e96-4d350bcd2790",
"created": "2023-09-29T16:44:26.728Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:44:26.728Z",
+ "modified": "2025-04-16T23:04:34.277Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608.json b/ics-attack/relationship/relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608.json
index 2f480c0bff..114ec19733 100644
--- a/ics-attack/relationship/relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608.json
+++ b/ics-attack/relationship/relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b5811487-b17c-4b34-8701-f7d491308b04",
+ "id": "bundle--17cdd474-ec37-4ac9-9bfb-dc30e93f29aa",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608",
"created": "2023-09-29T18:49:14.639Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:49:14.639Z",
+ "modified": "2025-04-16T23:04:34.465Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json b/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json
index ad4d32d3cb..a24e952194 100644
--- a/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json
+++ b/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--95cf0c80-383b-4b6c-91b8-4d599ea4ca96",
+ "id": "bundle--4ae88372-be70-43d1-95f9-ed174eeeab63",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:56:39.825Z",
+ "modified": "2025-04-16T23:04:34.668Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604) automatically collects protocol object data to learn about control devices in the environment. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json b/ics-attack/relationship/relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json
index 0be373fd26..17b55c341e 100644
--- a/ics-attack/relationship/relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json
+++ b/ics-attack/relationship/relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--bf85f863-2885-4423-8487-eb490f43bae9",
+ "id": "bundle--cb88cd89-8a4c-43a5-b806-d801df129b3e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b",
"created": "2023-10-02T20:21:06.420Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:21:06.420Z",
+ "modified": "2025-04-16T23:04:34.889Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json b/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json
index 8e42b09439..2b1e5ba42f 100644
--- a/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json
+++ b/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8a5a5f3c-c267-461b-a9c6-6f141de0b62e",
+ "id": "bundle--30184462-d79d-4f0e-82eb-cccb8c04751d",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:47:35.207Z",
+ "modified": "2025-04-16T23:04:35.106Z",
"description": "Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c4718fa2-2592-44b0-87d0-f866c118a779.json b/ics-attack/relationship/relationship--c4718fa2-2592-44b0-87d0-f866c118a779.json
index 596902f2d5..c261073b85 100644
--- a/ics-attack/relationship/relationship--c4718fa2-2592-44b0-87d0-f866c118a779.json
+++ b/ics-attack/relationship/relationship--c4718fa2-2592-44b0-87d0-f866c118a779.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--326ef6f9-b60a-42ce-9556-0c94cce69c4a",
+ "id": "bundle--1ce38efa-226c-4255-9860-7e6bb2fe1409",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c4718fa2-2592-44b0-87d0-f866c118a779",
"created": "2023-09-29T18:07:09.213Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:07:09.213Z",
+ "modified": "2025-04-16T23:04:35.331Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95.json b/ics-attack/relationship/relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95.json
index 63d2d65e40..ae18e947d0 100644
--- a/ics-attack/relationship/relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95.json
+++ b/ics-attack/relationship/relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--32c5e405-a94b-46e5-ba41-f1690b1084f1",
+ "id": "bundle--ab36c026-782f-4285-83ca-750ff0d57dfc",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:42:42.363Z",
+ "modified": "2025-04-16T23:04:35.523Z",
"description": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c4a50132-a210-4093-878d-3d6df23ed26e.json b/ics-attack/relationship/relationship--c4a50132-a210-4093-878d-3d6df23ed26e.json
index 5cfef56f11..cbc484b165 100644
--- a/ics-attack/relationship/relationship--c4a50132-a210-4093-878d-3d6df23ed26e.json
+++ b/ics-attack/relationship/relationship--c4a50132-a210-4093-878d-3d6df23ed26e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--97f4f10c-8e7f-4485-80d2-03cb05cb86fc",
+ "id": "bundle--c41c7ae7-eda3-411d-872a-373a68af3290",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c4a50132-a210-4093-878d-3d6df23ed26e",
"created": "2023-09-29T17:10:09.146Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:10:09.146Z",
+ "modified": "2025-04-16T23:04:35.724Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json b/ics-attack/relationship/relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json
index 70955ad854..7a4d4f57c4 100644
--- a/ics-attack/relationship/relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json
+++ b/ics-attack/relationship/relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4ee34a6f-dcd9-43a8-8c78-9d1f27b56e42",
+ "id": "bundle--e5fd527f-8d62-445b-8714-5b96dd7f51f6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37",
"created": "2023-09-28T20:15:05.405Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:15:05.405Z",
+ "modified": "2025-04-16T23:04:35.927Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c4dd7251-ed87-4629-86b5-090e52a82df2.json b/ics-attack/relationship/relationship--c4dd7251-ed87-4629-86b5-090e52a82df2.json
index 0b7ddfcd08..fadac69180 100644
--- a/ics-attack/relationship/relationship--c4dd7251-ed87-4629-86b5-090e52a82df2.json
+++ b/ics-attack/relationship/relationship--c4dd7251-ed87-4629-86b5-090e52a82df2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9d4b01ca-ee6c-4ff9-aa95-b11172251a2c",
+ "id": "bundle--9575d2de-e9db-439c-99c1-61a33e7cfa54",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c4dd7251-ed87-4629-86b5-090e52a82df2",
"created": "2024-04-09T21:00:32.387Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T21:00:32.387Z",
+ "modified": "2025-04-16T23:04:36.124Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json b/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json
index fb571abc11..0b71623a81 100644
--- a/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json
+++ b/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--72346167-52cf-42a1-a521-86c325425cb2",
+ "id": "bundle--1a21ae3b-54bc-47c7-89ca-5857da40eb51",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T16:32:03.970Z",
+ "modified": "2025-04-16T23:04:36.324Z",
"description": "[OilRig](https://attack.mitre.org/groups/G0049) has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.(Citation: Robert Falcone, Bryan Lee May 2016)",
"relationship_type": "uses",
"source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c58563a8-d757-4476-8ae2-beb2acce38b3.json b/ics-attack/relationship/relationship--c58563a8-d757-4476-8ae2-beb2acce38b3.json
index accfa31e86..f42c086261 100644
--- a/ics-attack/relationship/relationship--c58563a8-d757-4476-8ae2-beb2acce38b3.json
+++ b/ics-attack/relationship/relationship--c58563a8-d757-4476-8ae2-beb2acce38b3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--adbbc93f-c2a3-4560-a608-6ccd51942fd3",
+ "id": "bundle--5d0fa702-1967-470e-938f-ae1479cac9a8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c58563a8-d757-4476-8ae2-beb2acce38b3",
"created": "2023-10-02T20:20:55.473Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:20:55.473Z",
+ "modified": "2025-04-16T23:04:36.530Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c596f45a-ad65-4673-b316-05378175f35e.json b/ics-attack/relationship/relationship--c596f45a-ad65-4673-b316-05378175f35e.json
index de337a3aba..47ce0c249f 100644
--- a/ics-attack/relationship/relationship--c596f45a-ad65-4673-b316-05378175f35e.json
+++ b/ics-attack/relationship/relationship--c596f45a-ad65-4673-b316-05378175f35e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--07152c74-6e58-4415-ac19-d7ff59478d7b",
+ "id": "bundle--f5c294f0-ac5e-4dd7-8b46-fa08c8ba68d6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c596f45a-ad65-4673-b316-05378175f35e",
"created": "2024-04-09T20:54:19.196Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:54:19.196Z",
+ "modified": "2025-04-16T23:04:36.745Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json b/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json
index bed36d2953..9bcff870c7 100644
--- a/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json
+++ b/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--112d283b-6fb1-4483-8ac2-f130f31a2549",
+ "id": "bundle--ee6eae05-9f76-4b97-95b0-8aa74aad232f",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:32:08.109Z",
+ "modified": "2025-04-16T23:04:36.946Z",
"description": "[WannaCry](https://attack.mitre.org/software/S0366) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)",
"relationship_type": "uses",
"source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661",
"target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd.json b/ics-attack/relationship/relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd.json
index ccca33eb20..e07ffd26c1 100644
--- a/ics-attack/relationship/relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd.json
+++ b/ics-attack/relationship/relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c2d3040b-67d8-4986-99d7-92581ced40b4",
+ "id": "bundle--f94c0ab9-63e9-4faf-8819-418e12174537",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd",
"created": "2023-09-29T18:43:49.839Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:43:49.839Z",
+ "modified": "2025-04-16T23:04:37.152Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json b/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json
index d476a19b28..b15636064d 100644
--- a/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json
+++ b/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c16b3c6b-906a-42a6-b35e-fee0e261b346",
+ "id": "bundle--1d8ac2d0-c0ec-4f62-8697-a99d21a523b8",
"spec_version": "2.0",
"objects": [
{
@@ -44,15 +44,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-08-20T19:05:24.106Z",
+ "modified": "2025-04-16T22:45:51.619Z",
"description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )(Citation: Trend Micro Cyclops Blink March 2022)(Citation: mandiant_apt44_unearthing_sandworm)",
"relationship_type": "uses",
"source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
"target_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json b/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json
index 216c300891..17d41c7e0c 100644
--- a/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json
+++ b/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--59d11b9e-2b43-486e-ad56-51e5197a1407",
+ "id": "bundle--f97c7b48-0b0d-44fb-ab62-6dc21ae898b7",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--c5fd0969-c151-4849-94c2-83e2e208cff7",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.168Z",
- "relationship_type": "mitigates",
- "description": "Ensure that wired and/or wireless traffic is encrypted when feasible. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. (Citation: Keith Stouffer May 2015)\n",
- "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a",
- "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Keith Stouffer May 2015",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:37.454Z",
+ "description": "Ensure that wired and/or wireless traffic is encrypted when feasible. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. (Citation: Keith Stouffer May 2015)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a",
+ "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json b/ics-attack/relationship/relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json
index f56ec6856d..40184fb304 100644
--- a/ics-attack/relationship/relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json
+++ b/ics-attack/relationship/relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bcc495ed-1deb-4114-984c-05f724af2137",
+ "id": "bundle--d3c9d435-c85a-40b4-b057-3ef042c214bd",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:26:20.823Z",
+ "modified": "2025-04-16T23:04:37.666Z",
"description": "Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.\n\nVarious techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json b/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json
index d685b894b9..035cb3d185 100644
--- a/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json
+++ b/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ebaac276-22e5-49c7-8139-fa70905e6a70",
+ "id": "bundle--865e4ba3-3065-420c-9921-1bd9845b209a",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-19T21:23:30.482Z",
+ "modified": "2025-04-16T23:04:37.879Z",
"description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a",
"target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json b/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json
index 9f363985d6..e2a31955f3 100644
--- a/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json
+++ b/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ad69c9cd-8763-443c-ab54-3b2b4709864b",
+ "id": "bundle--4cf78825-0759-4447-9dfc-9665757a9584",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:17:59.179Z",
+ "modified": "2025-04-16T23:04:38.096Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json b/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json
index 26cf7c04f6..326c95cafe 100644
--- a/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json
+++ b/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--ca67e7e9-fe04-4401-9d3f-643d951e3b37",
+ "id": "bundle--0e0e2756-ee7d-4ced-9745-cfc09f3a4b57",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.070Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:38.318Z",
"description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
"target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json b/ics-attack/relationship/relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json
index 0d318a5fe9..876add81e6 100644
--- a/ics-attack/relationship/relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json
+++ b/ics-attack/relationship/relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d3414f6c-31cc-4b2e-93f6-c381882ff4c9",
+ "id": "bundle--10f65492-a18f-4f62-90e1-a1a24cdea503",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36",
"created": "2023-09-28T21:27:50.246Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:27:50.246Z",
+ "modified": "2025-04-16T23:04:38.535Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json b/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json
index 625279f60a..5d757092d8 100644
--- a/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json
+++ b/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6f5a60a9-6ad8-447b-89cd-d6851f23a194",
+ "id": "bundle--d3b465a4-3926-49e6-96c9-ffd48c546890",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:45:39.703Z",
- "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.",
+ "modified": "2025-04-16T23:04:38.754Z",
+ "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information Mitigation](https://attack.mitre.org/mitigations/T1140) in payloads.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json b/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json
index 8995d67d36..d9324bdc24 100644
--- a/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json
+++ b/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--0a7d0059-1f98-45ff-bb1a-8e37b37f12b8",
+ "id": "bundle--d017b2df-c886-442a-a4f2-c9b030aca72a",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--c67e3535-69a9-4234-8170-4ad6efc632b7",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.211Z",
- "relationship_type": "mitigates",
- "description": "Implement continuous monitoring of vulnerability sources. Also, use automatic and manual code review tools. (Citation: OWASP)\n",
- "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037",
- "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "OWASP",
@@ -23,9 +15,16 @@
"url": "https://owasp.org/www-project-top-ten/"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:38.956Z",
+ "description": "Implement continuous monitoring of vulnerability sources. Also, use automatic and manual code review tools. (Citation: OWASP)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037",
+ "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json b/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json
index 27ae4150d9..f7639f5a73 100644
--- a/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json
+++ b/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--f9d57289-fa34-4ad8-bf46-7c76438b1fc3",
+ "id": "bundle--4d031df5-4479-4158-8cae-519b93ac8768",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.132Z",
- "relationship_type": "mitigates",
- "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n",
- "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc",
- "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014",
@@ -23,9 +15,16 @@
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:39.146Z",
+ "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc",
+ "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8.json b/ics-attack/relationship/relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8.json
index a5f72c56cf..c15b6a0c75 100644
--- a/ics-attack/relationship/relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8.json
+++ b/ics-attack/relationship/relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--fb2a0477-fe3d-4c67-9567-26e3bed7b9a1",
+ "id": "bundle--08c2d924-3be7-4fae-894d-9396dee9d476",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8",
"created": "2023-09-29T17:59:11.267Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:59:11.267Z",
+ "modified": "2025-04-16T23:04:39.381Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json b/ics-attack/relationship/relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json
index 23c5c74a34..aa7859460e 100644
--- a/ics-attack/relationship/relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json
+++ b/ics-attack/relationship/relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d9af5497-f314-40f3-8b04-a5b052e30389",
+ "id": "bundle--b21bff4f-0144-4510-812b-0463cde39372",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374",
"created": "2022-09-26T14:35:27.430Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:35:27.430Z",
+ "modified": "2025-04-16T23:04:39.579Z",
"description": "Monitor for new or unexpected connections to controllers, which could indicate an Unauthorized Command Message being sent via [Rogue Master](https://attack.mitre.org/techniques/T0848).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json b/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json
index 0619309c5d..ef36c295f5 100644
--- a/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json
+++ b/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0a8357b4-f413-45f9-acaa-6b337fca0da1",
+ "id": "bundle--f2dfc115-82cd-4fc5-b39d-e14b13d1fab8",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-23T18:57:08.952Z",
+ "modified": "2025-04-16T23:04:39.776Z",
"description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json b/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json
index e7375a6bf2..d10884ba9b 100644
--- a/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json
+++ b/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--6922d4ef-784b-471c-abef-3dfbbdc7f770",
+ "id": "bundle--f0278596-5468-4d61-8a48-2e54bdd993a1",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.186Z",
- "relationship_type": "mitigates",
- "description": "When at rest, project files should be encrypted to prevent unauthorized changes. (Citation: National Institute of Standards and Technology April 2013)\n",
- "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc",
- "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "National Institute of Standards and Technology April 2013",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:39.976Z",
+ "description": "When at rest, project files should be encrypted to prevent unauthorized changes. (Citation: National Institute of Standards and Technology April 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc",
+ "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json b/ics-attack/relationship/relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json
index f9183f53fa..d0cbb11f71 100644
--- a/ics-attack/relationship/relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json
+++ b/ics-attack/relationship/relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--723fdd77-8110-4316-8710-01f4631f14ff",
+ "id": "bundle--47c63924-c264-4a03-a02a-9d7d9882bd91",
"spec_version": "2.0",
"objects": [
{
@@ -12,7 +12,7 @@
"external_references": [
{
"source_name": "ACSC Email Spoofing",
- "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.",
+ "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.",
"url": "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf"
},
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-05-31T04:18:44.578Z",
+ "modified": "2025-04-16T23:04:40.173Z",
"description": "Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json b/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json
index 02ab8138e1..50e5535fc5 100644
--- a/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json
+++ b/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--8ce4c9e2-a0ab-4756-afcc-a30946916b83",
+ "id": "bundle--cf36557e-6483-4871-9389-6d51cc89c473",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.174Z",
- "relationship_type": "mitigates",
- "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Karen Scarfone; Paul Hoffman September 2009",
@@ -38,9 +30,16 @@
"url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:40.372Z",
+ "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c8222300-6c5e-42d6-ae67-3595407b89fd.json b/ics-attack/relationship/relationship--c8222300-6c5e-42d6-ae67-3595407b89fd.json
index a082cae28e..0eb44c41e6 100644
--- a/ics-attack/relationship/relationship--c8222300-6c5e-42d6-ae67-3595407b89fd.json
+++ b/ics-attack/relationship/relationship--c8222300-6c5e-42d6-ae67-3595407b89fd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3b33012c-7dd1-4926-b261-204636fa1b83",
+ "id": "bundle--f5267a4c-7197-4308-8955-cd09bccc781a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c8222300-6c5e-42d6-ae67-3595407b89fd",
"created": "2024-04-09T20:54:39.801Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:54:39.801Z",
+ "modified": "2025-04-16T23:04:40.569Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json b/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json
index bb43b8a754..9443fc7f46 100644
--- a/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json
+++ b/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a3d9c3d2-8df8-4a00-a249-da555236a805",
+ "id": "bundle--2eb76100-3871-429a-90a8-1680147c39b1",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:31:07.308Z",
+ "modified": "2025-04-16T23:04:40.783Z",
"description": "The [VPNFilter](https://attack.mitre.org/software/S1010)'s ssler module configures the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)",
"relationship_type": "uses",
"source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json b/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json
index da849e1b24..dc476accb1 100644
--- a/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json
+++ b/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--062df672-135a-4826-a80b-07e68d0695a3",
+ "id": "bundle--bc9eb5e1-d093-44b2-9388-079e8e0c6580",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-04-12T17:00:17.249Z",
- "modified": "2022-05-06T17:47:24.212Z",
- "relationship_type": "mitigates",
- "description": "A supply chain management program should include methods the assess the trustworthiness and technical maturity of a supplier, along with technical methods (e.g., code-signing, bill of materials) needed to validate the integrity of newly obtained devices and components. Develop procurement language that emphasizes the expectations for suppliers regarding the artifacts, audit records, and technical capabilities needed to validate the integrity of the devices supply chain. (Citation: Robert A. Martin January 2021)\n",
- "source_ref": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c",
- "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Robert A. Martin January 2021",
@@ -23,9 +15,16 @@
"url": "https://www.mitre.org/sites/default/files/publications/pr-20-01465-37-trusting-our-supply-chains-a-comprehensive-data-driven-approach.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:40.969Z",
+ "description": "A supply chain management program should include methods the assess the trustworthiness and technical maturity of a supplier, along with technical methods (e.g., code-signing, bill of materials) needed to validate the integrity of newly obtained devices and components. Develop procurement language that emphasizes the expectations for suppliers regarding the artifacts, audit records, and technical capabilities needed to validate the integrity of the devices supply chain. (Citation: Robert A. Martin January 2021)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c",
+ "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json b/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json
index 1d83e3de05..e1fee6dad0 100644
--- a/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json
+++ b/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c7f7a39a-2d21-42cb-922e-49060cd8cd2c",
+ "id": "bundle--ae82a194-4a8e-43ca-a955-d70e99650c41",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:23:14.457Z",
+ "modified": "2025-04-16T23:04:41.166Z",
"description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
"target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json b/ics-attack/relationship/relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json
index ffd7bf6e27..2274cf7532 100644
--- a/ics-attack/relationship/relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json
+++ b/ics-attack/relationship/relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--025e57a1-7b48-4a29-981f-f65797aba7a4",
+ "id": "bundle--179efd19-6a74-4cfc-a82f-1ede432c19a7",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-27T13:25:51.965Z",
+ "modified": "2025-04-16T22:46:37.915Z",
"description": "(Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json b/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json
index af35ed1dbc..f0cc4692bc 100644
--- a/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json
+++ b/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--bb00f1fc-a5d8-4466-81b8-69af0f5a36b7",
+ "id": "bundle--96d6e3b1-f71b-4ef3-9559-f50b5989f0bc",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--c9065f74-556d-4728-8072-f96642e70316",
+ "created": "2021-04-12T18:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--c9065f74-556d-4728-8072-f96642e70316",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2021-04-12T18:59:24.739Z",
- "modified": "2022-05-06T17:47:24.187Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:41.466Z",
"description": "Access Management technologies can help enforce authentication on critical remote service, examples include, but are not limited to, device management services (e.g., telnet, SSH), data access servers (e.g., HTTP, Historians), and HMI sessions (e.g., RDP, VNC).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json b/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json
index 1af6d97be7..589eb9c817 100644
--- a/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json
+++ b/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0f2b166c-137c-4d8e-ab25-24e64e78cb64",
+ "id": "bundle--c9790570-db7f-41ab-9636-97df18ef0aad",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:06:28.859Z",
+ "modified": "2025-04-16T23:04:41.652Z",
"description": "[REvil](https://attack.mitre.org/software/S0496) sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. (Citation: Tom Fakterman August 2019) (Citation: SecureWorks September 2019)",
"relationship_type": "uses",
"source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5",
"target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json b/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json
index 466641d4ba..152eb2efc7 100644
--- a/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json
+++ b/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--b7377cf3-ef49-41b9-a27c-17f4d21b66f6",
+ "id": "bundle--0b88d5dc-5338-41ae-9df0-2ea6fbe4a05a",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.068Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:41.865Z",
"description": "Provide an alternative method for alarms to be reported in the event of a communication failure.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
"target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c95850f4-4616-435c-b237-f1985833d40e.json b/ics-attack/relationship/relationship--c95850f4-4616-435c-b237-f1985833d40e.json
index 076af8665f..2ace278694 100644
--- a/ics-attack/relationship/relationship--c95850f4-4616-435c-b237-f1985833d40e.json
+++ b/ics-attack/relationship/relationship--c95850f4-4616-435c-b237-f1985833d40e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2cd7b24e-0cd5-4c83-abed-6da7cfea41ab",
+ "id": "bundle--509ad9fa-0907-435e-bb2f-2ad7d6a712eb",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c95850f4-4616-435c-b237-f1985833d40e",
"created": "2023-09-29T16:29:39.918Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:29:39.918Z",
+ "modified": "2025-04-16T23:04:42.076Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--c9fb4adb-8064-426a-838d-c93674fb380b.json b/ics-attack/relationship/relationship--c9fb4adb-8064-426a-838d-c93674fb380b.json
index cc05f7f022..a9877b1dc7 100644
--- a/ics-attack/relationship/relationship--c9fb4adb-8064-426a-838d-c93674fb380b.json
+++ b/ics-attack/relationship/relationship--c9fb4adb-8064-426a-838d-c93674fb380b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--dba7f115-d279-4bdd-ae97-a078a00590bd",
+ "id": "bundle--ab4a53a1-d785-4ea0-96b8-f73d3184bf8e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--c9fb4adb-8064-426a-838d-c93674fb380b",
"created": "2023-09-29T18:44:38.035Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:44:38.035Z",
+ "modified": "2025-04-16T23:04:42.312Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json b/ics-attack/relationship/relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json
index 59afbf9db0..2271c49e10 100644
--- a/ics-attack/relationship/relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json
+++ b/ics-attack/relationship/relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a38b24f1-dfc2-449c-92ac-b6ec566950f2",
+ "id": "bundle--22f7976b-74f8-4ece-9373-7d89fffd93ef",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:50:10.284Z",
+ "modified": "2025-04-16T23:04:42.511Z",
"description": "Monitor for processes spawning from known command shell applications (e.g., PowerShell, Bash). Benign activity will need to be allow-listed. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ca13a117-aae0-4802-878b-c09f4a04dd31.json b/ics-attack/relationship/relationship--ca13a117-aae0-4802-878b-c09f4a04dd31.json
index 0107eb2f21..9eb468295f 100644
--- a/ics-attack/relationship/relationship--ca13a117-aae0-4802-878b-c09f4a04dd31.json
+++ b/ics-attack/relationship/relationship--ca13a117-aae0-4802-878b-c09f4a04dd31.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--26bd9c96-50d1-4b4f-bd01-5f292cfaae06",
+ "id": "bundle--8a8d9c27-2676-4bb6-882d-59ddfca051ef",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ca13a117-aae0-4802-878b-c09f4a04dd31",
"created": "2023-09-28T20:06:50.018Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:06:50.018Z",
+ "modified": "2025-04-16T23:04:42.722Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ca225ea0-e813-4205-98db-707b474ae24f.json b/ics-attack/relationship/relationship--ca225ea0-e813-4205-98db-707b474ae24f.json
index 2d14307077..2ac96c72b0 100644
--- a/ics-attack/relationship/relationship--ca225ea0-e813-4205-98db-707b474ae24f.json
+++ b/ics-attack/relationship/relationship--ca225ea0-e813-4205-98db-707b474ae24f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6e05def5-02cc-42ef-ba35-81d8d3a25615",
+ "id": "bundle--847b8d41-8bfe-4f32-ba22-78beb1637bb1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ca225ea0-e813-4205-98db-707b474ae24f",
"created": "2024-04-09T20:49:44.575Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:49:44.575Z",
+ "modified": "2025-04-16T23:04:42.923Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json b/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json
index 04123de91e..64973139da 100644
--- a/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json
+++ b/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f852373f-2583-4ead-a87c-a9283e5b0981",
+ "id": "bundle--ea20a2ee-4607-4d0b-b997-f6c2de22ee59",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-31T19:58:55.128Z",
+ "modified": "2025-04-16T23:04:43.126Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. (Citation: Anton Cherepanov, ESET June 2017)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json b/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json
index a560a44e6b..3428d03e1b 100644
--- a/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json
+++ b/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--5ed9f1bc-6fe0-443a-8d31-ffaf403366c7",
+ "id": "bundle--33383fe2-bb1b-41a5-b017-5ce876aaef00",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--ca5c7ae7-5273-4888-bc50-183d6e200972",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--ca5c7ae7-5273-4888-bc50-183d6e200972",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.105Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:43.337Z",
"description": "Built-in browser sandboxes and application isolation may be used to contain web-based malware.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json b/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json
index d9a5c36a82..6bb0ce8198 100644
--- a/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json
+++ b/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--4263b5cc-98cb-434b-ba3c-a5c52cb56aef",
+ "id": "bundle--9a6c7abc-da9f-487f-a5fd-89ea3a688623",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--ca64a927-f050-41b3-80d3-93d22cdef26a",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--ca64a927-f050-41b3-80d3-93d22cdef26a",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.081Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:43.547Z",
"description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7",
"target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json b/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json
index 591ba9c7a3..e569b02147 100644
--- a/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json
+++ b/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--e248cdac-865a-4197-b427-69a7f34e72ab",
+ "id": "bundle--743ce5ad-44f7-4036-857e-e0ea738558da",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--ca768c2a-0f14-471c-90a5-bce649e88d51",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--ca768c2a-0f14-471c-90a5-bce649e88d51",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.105Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:43.758Z",
"description": "Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json b/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json
index 6c0a1a957c..26cef12398 100644
--- a/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json
+++ b/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fa576099-1e6d-4e08-80cc-527bf58d8a75",
+ "id": "bundle--05bc6f4d-2673-4d8a-9f46-034db78e1b2a",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:31:19.732Z",
+ "modified": "2025-04-16T23:04:43.976Z",
"description": "The [VPNFilter](https://attack.mitre.org/software/S1010) packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)",
"relationship_type": "uses",
"source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d",
"target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json b/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json
index 41ef811965..3240d3e4da 100644
--- a/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json
+++ b/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json
@@ -1,14 +1,11 @@
{
"type": "bundle",
- "id": "bundle--3e5c678d-7b31-4534-a862-9970fff68db3",
+ "id": "bundle--e69f70af-289c-4135-8869-9477d3a8884e",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b",
"type": "relationship",
+ "id": "relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b",
"created": "2021-10-04T20:52:20.304Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
@@ -18,13 +15,16 @@
"url": "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/"
}
],
- "modified": "2021-10-04T20:54:09.057Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T22:47:12.098Z",
"description": "(Citation: ESET Lazarus KillDisk April 2018)",
"relationship_type": "uses",
"source_ref": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340",
"target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6",
- "x_mitre_version": "1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json b/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json
index 2d08eacfb9..aeb90233bc 100644
--- a/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json
+++ b/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9ae298c2-ffc7-4ecc-b579-52798aeabcfc",
+ "id": "bundle--a67c1355-4820-4d4e-b5bc-f82d589664dd",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:48:12.637Z",
+ "modified": "2025-04-16T23:04:44.309Z",
"description": "Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json b/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json
index 253449e535..d0d294fe1c 100644
--- a/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json
+++ b/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--24f20e38-6128-47b1-b0be-7d0506d1af81",
+ "id": "bundle--eb3bf477-4984-4684-8e4f-214f1c35ab5e",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:18:37.808Z",
+ "modified": "2025-04-16T23:04:44.524Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json b/ics-attack/relationship/relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json
index 6065f69b25..c38e99102b 100644
--- a/ics-attack/relationship/relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json
+++ b/ics-attack/relationship/relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--dce4248d-b46e-4a6a-83ff-bd7c9c5d71f9",
+ "id": "bundle--c9c05791-9e09-4610-8b12-330926409d71",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd",
"created": "2023-09-28T21:14:29.099Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:14:29.099Z",
+ "modified": "2025-04-16T23:04:44.717Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json b/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json
index bfa51a7c66..36bc4e93e4 100644
--- a/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json
+++ b/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--38b52021-8e4c-4454-8705-e031c194fe25",
+ "id": "bundle--630ceeb6-987a-48d7-b9d5-e5e400f5226a",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.219Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:44.933Z",
"description": "Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc",
"target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json b/ics-attack/relationship/relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json
index f34ac18df2..58b23966a0 100644
--- a/ics-attack/relationship/relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json
+++ b/ics-attack/relationship/relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--d70e4c7f-42d2-4277-aea4-76e94d9aa193",
+ "id": "bundle--676fb1cf-6eae-484c-a7e6-d3cfbc962db3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794",
"created": "2023-03-30T14:08:42.386Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T14:08:42.386Z",
+ "modified": "2025-04-16T23:04:45.138Z",
"description": "Retain cold-standby or replacement hardware of similar models to ensure continued operations of critical functions if the primary system is compromised or unavailable. (Citation: M. Rentschler and H. Heine)",
"relationship_type": "mitigates",
"source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd",
"target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json b/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json
index 872251a636..2524f0223f 100644
--- a/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json
+++ b/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7aea9df3-d0aa-4fc2-b853-8e84b45cf9ee",
+ "id": "bundle--0dd65722-e535-41f6-bf1a-f716605575c1",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.446Z",
+ "modified": "2025-04-16T23:04:45.380Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to exploit a vulnerable Asrock driver (AsrDrv103.sys) using CVE-2020-15368 to load its own unsigned driver on the system.(Citation: Wylie-22)",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d.json b/ics-attack/relationship/relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d.json
index d2769be584..b8f9a6fb91 100644
--- a/ics-attack/relationship/relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d.json
+++ b/ics-attack/relationship/relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--69e2c127-8475-48d4-abb9-9081ea2880b0",
+ "id": "bundle--ab5b41de-8b60-4101-b4be-3ae157994313",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d",
"created": "2024-04-09T20:54:26.301Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:54:26.301Z",
+ "modified": "2025-04-16T23:04:45.573Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749.json b/ics-attack/relationship/relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749.json
index 09bd7e5a8f..e9161e450f 100644
--- a/ics-attack/relationship/relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749.json
+++ b/ics-attack/relationship/relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--61c6ebb8-3095-468a-be24-45d3be062471",
+ "id": "bundle--7d2c7522-d0e3-4e4d-b0c8-0cf9aee62a98",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749",
"created": "2023-10-20T17:05:25.595Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-20T17:05:25.595Z",
+ "modified": "2025-04-16T23:04:45.801Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a.json b/ics-attack/relationship/relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a.json
index b29fd3a648..c8027217a3 100644
--- a/ics-attack/relationship/relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a.json
+++ b/ics-attack/relationship/relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4dfefab0-f812-4cfc-9cd6-c66a6852392a",
+ "id": "bundle--2510b654-ba50-460b-a0e0-0084044e18a2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a",
"created": "2023-09-29T16:30:08.166Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:30:08.166Z",
+ "modified": "2025-04-16T23:04:46.007Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json b/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json
index ace246226b..a74017e472 100644
--- a/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json
+++ b/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--ab8de924-6f14-4282-a747-57e51284e9d6",
+ "id": "bundle--af050aca-8915-4a06-9cb2-94e9030cfdc4",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--cca191a1-3c50-4d4f-8f79-4247e58af610",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--cca191a1-3c50-4d4f-8f79-4247e58af610",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.146Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:46.217Z",
"description": "Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c.json b/ics-attack/relationship/relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c.json
index d38004ee4e..99709d35d6 100644
--- a/ics-attack/relationship/relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c.json
+++ b/ics-attack/relationship/relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e23b397b-a898-41f9-9ee5-eb45e95683ae",
+ "id": "bundle--a142544b-04e2-4fbf-9286-8ad77bd669dd",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c",
"created": "2022-09-27T15:34:07.320Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T15:34:07.320Z",
+ "modified": "2025-04-16T23:04:46.425Z",
"description": "Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host\u2019s GUI.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
"target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json b/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json
index dd52ab4bc5..79ea391a9c 100644
--- a/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json
+++ b/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b89eae1b-6fe5-4e4a-b922-996b05f74cbc",
+ "id": "bundle--f39dc755-49f4-467f-adc0-1d470f03ffc1",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:19:13.497Z",
+ "modified": "2025-04-16T23:04:46.639Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ccbb44ad-2220-4260-99ce-9142c44fc797.json b/ics-attack/relationship/relationship--ccbb44ad-2220-4260-99ce-9142c44fc797.json
index 41bcc55d1b..d87b185e1d 100644
--- a/ics-attack/relationship/relationship--ccbb44ad-2220-4260-99ce-9142c44fc797.json
+++ b/ics-attack/relationship/relationship--ccbb44ad-2220-4260-99ce-9142c44fc797.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--671a8751-373a-4505-b60b-ea228e2b2ff5",
+ "id": "bundle--02a5ddfe-ca75-4988-8678-28f4047cd0c9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ccbb44ad-2220-4260-99ce-9142c44fc797",
"created": "2023-09-28T21:10:03.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:10:03.272Z",
+ "modified": "2025-04-16T23:04:46.864Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json b/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json
index 5ccbae844c..2fe4ade89c 100644
--- a/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json
+++ b/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c3dd1ec2-04f5-42f8-89c0-637940fed950",
+ "id": "bundle--a1808501-c757-41da-a0c2-36e7ba5c7fa9",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:28:11.304Z",
+ "modified": "2025-04-16T23:04:47.078Z",
"description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, changes the function pointer of the 'get main processor diagnostic data' TriStation command to the address of imain.bin so that it is executed prior to the normal handler. (Citation: Jos Wetzels January 2018)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json b/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json
index f832794d8d..d63d8c59be 100644
--- a/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json
+++ b/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--bfc1bef7-8ad4-4b2d-919a-f322980ff5b6",
+ "id": "bundle--7abda8ca-2098-47f9-a6a5-bcbd3313e2ce",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.072Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:47.321Z",
"description": "Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
"target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2.json b/ics-attack/relationship/relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2.json
index bd1c8ab0f2..dc99236829 100644
--- a/ics-attack/relationship/relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2.json
+++ b/ics-attack/relationship/relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ab5a5174-15c6-4774-a7be-d3b7ed673197",
+ "id": "bundle--7593e072-2908-4230-82d4-791dcc037b3b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2",
"created": "2023-09-28T20:15:56.470Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:15:56.470Z",
+ "modified": "2025-04-16T23:04:47.514Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cd6f1ca4-aaec-451d-b855-55cdb0c3dde8.json b/ics-attack/relationship/relationship--cd6f1ca4-aaec-451d-b855-55cdb0c3dde8.json
index 980f23428d..fc407d8706 100644
--- a/ics-attack/relationship/relationship--cd6f1ca4-aaec-451d-b855-55cdb0c3dde8.json
+++ b/ics-attack/relationship/relationship--cd6f1ca4-aaec-451d-b855-55cdb0c3dde8.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--012cefa5-e79d-42e6-be2a-8f8c58af3c27",
+ "id": "bundle--22a7105d-b147-4ea8-9e44-d9204f06860b",
"spec_version": "2.0",
"objects": [
{
@@ -17,22 +17,21 @@
},
{
"source_name": "FireEye TRITON 2018",
- "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.",
- "url": "https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html"
+ "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-10T15:02:44.848Z",
+ "modified": "2025-04-16T23:04:47.756Z",
"description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) utilized remote desktop protocol (RDP) jump boxes, poorly configured OT firewalls (Citation: Triton-EENews-2017), along with other traditional malware backdoors, to move into the ICS environment.(Citation: FireEye TRITON 2018)(Citation: Triton-EENews-2017)",
"relationship_type": "uses",
"source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json b/ics-attack/relationship/relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json
index 2735f372fa..a86ab9fd9c 100644
--- a/ics-attack/relationship/relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json
+++ b/ics-attack/relationship/relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--236d6a30-36aa-4aa6-94bf-fd895a0b0cd3",
+ "id": "bundle--f142f8ba-8f1f-4dd8-b322-7451c76503ff",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T19:12:25.664Z",
+ "modified": "2025-04-16T23:04:47.954Z",
"description": "Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986.json b/ics-attack/relationship/relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986.json
index a6c7db0268..1347ad8094 100644
--- a/ics-attack/relationship/relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986.json
+++ b/ics-attack/relationship/relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7dc149d7-1fb8-4e62-8069-e4fb4b1ba225",
+ "id": "bundle--db8a88c3-cadd-41fd-b00c-b1a20347852c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986",
"created": "2023-09-29T16:31:36.462Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:31:36.462Z",
+ "modified": "2025-04-16T23:04:48.157Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json b/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json
index 0858f12d97..f8c8e3619a 100644
--- a/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json
+++ b/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json
@@ -1,35 +1,35 @@
{
"type": "bundle",
- "id": "bundle--7c7c14b5-3cde-435d-8e52-8c9e28597778",
+ "id": "bundle--a71d72ff-5817-413f-b3a2-2eeb3567e0a9",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb",
"type": "relationship",
+ "id": "relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb",
"created": "2021-01-20T21:03:13.436Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "US District Court Indictment GRU Unit 74455 October 2020",
- "url": "https://www.justice.gov/opa/press-release/file/1328521/download",
- "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."
+ "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.",
+ "url": "https://www.justice.gov/opa/press-release/file/1328521/download"
},
{
"source_name": "Secureworks IRON VIKING ",
- "url": "https://www.secureworks.com/research/threat-profiles/iron-viking",
- "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."
+ "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.",
+ "url": "https://www.secureworks.com/research/threat-profiles/iron-viking"
}
],
- "modified": "2022-02-28T17:02:50.467Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T22:48:04.707Z",
"description": "(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Secureworks IRON VIKING )",
"relationship_type": "uses",
"source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
"target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6",
- "x_mitre_version": "1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json b/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json
index 7b4f1dd022..1887a756b6 100644
--- a/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json
+++ b/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--5580abc7-40ab-485c-a20f-0200d719b1b2",
+ "id": "bundle--57ed43b0-c3ed-4d40-84e6-08eb3a5b73be",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.207Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:04:48.463Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json b/ics-attack/relationship/relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json
index 527bb9ed87..770857031d 100644
--- a/ics-attack/relationship/relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json
+++ b/ics-attack/relationship/relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--17c15109-be4a-44e1-b63c-bb0b2ebc03e8",
+ "id": "bundle--25b0608b-9d6f-4ce2-b731-3320c142f833",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a",
"created": "2022-09-26T14:37:45.140Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:37:45.140Z",
+ "modified": "2025-04-16T23:04:48.668Z",
"description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json b/ics-attack/relationship/relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json
index c867edfee8..0bfce6f9fc 100644
--- a/ics-attack/relationship/relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json
+++ b/ics-attack/relationship/relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b0657ee1-492f-4cdc-8f81-4351daa60372",
+ "id": "bundle--9c965e17-0e81-446d-884f-bc3cbb960d36",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T15:50:45.583Z",
+ "modified": "2025-04-16T23:04:48.864Z",
"description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs and tasks. Data from these platforms can be used to identify modified controller tasking.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d",
"target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json b/ics-attack/relationship/relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json
index 2179fff948..a98ca7c834 100644
--- a/ics-attack/relationship/relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json
+++ b/ics-attack/relationship/relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--64eb2d81-4acc-4cda-aac5-da02b1121d23",
+ "id": "bundle--9a226858-2f3d-4be9-a87d-059ee4f26d3d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d",
"created": "2023-09-29T16:29:16.222Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:29:16.222Z",
+ "modified": "2025-04-16T23:04:49.067Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614.json b/ics-attack/relationship/relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614.json
index e545c50345..7c0513f46e 100644
--- a/ics-attack/relationship/relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614.json
+++ b/ics-attack/relationship/relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c8c666de-82e3-4cec-bb8b-d26bc4af7d74",
+ "id": "bundle--2a97eee3-a9ec-4ad2-8a72-159c88541746",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-28T18:44:20.611Z",
+ "modified": "2025-04-16T23:04:49.271Z",
"description": "Monitor for unexpected ICS protocol functions from new and existing devices. Monitoring known devices requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cf8a816c-30ee-4147-a48f-d797fb145a04.json b/ics-attack/relationship/relationship--cf8a816c-30ee-4147-a48f-d797fb145a04.json
index b27d02adcc..f21f31093b 100644
--- a/ics-attack/relationship/relationship--cf8a816c-30ee-4147-a48f-d797fb145a04.json
+++ b/ics-attack/relationship/relationship--cf8a816c-30ee-4147-a48f-d797fb145a04.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--57da102f-3566-49fe-8178-04138ebc77ce",
+ "id": "bundle--a5a45d79-e6e9-41a0-9065-7a178c67fee6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--cf8a816c-30ee-4147-a48f-d797fb145a04",
"created": "2023-09-29T17:43:10.828Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:43:10.829Z",
+ "modified": "2025-04-16T23:04:49.460Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json b/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json
index 3117497f3f..eb7d8bdd20 100644
--- a/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json
+++ b/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--fa78687c-c8b0-4d9d-afff-515d455edd5f",
+ "id": "bundle--1d470844-541f-4303-a33b-87c72d72eddf",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.216Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:49.681Z",
"description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185.json b/ics-attack/relationship/relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185.json
index 5b07874502..12d75cf7ed 100644
--- a/ics-attack/relationship/relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185.json
+++ b/ics-attack/relationship/relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d01f57a6-da26-4d41-9aff-432351f777b1",
+ "id": "bundle--d57a8b6f-fce1-4581-b799-22d4ecc7a1a5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185",
"created": "2023-09-28T21:15:44.547Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:15:44.547Z",
+ "modified": "2025-04-16T23:04:49.882Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--cfcbca89-8912-40c0-ac15-47882162b132.json b/ics-attack/relationship/relationship--cfcbca89-8912-40c0-ac15-47882162b132.json
index 73e2f3c2b3..2f18c68af0 100644
--- a/ics-attack/relationship/relationship--cfcbca89-8912-40c0-ac15-47882162b132.json
+++ b/ics-attack/relationship/relationship--cfcbca89-8912-40c0-ac15-47882162b132.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0165cba6-97ed-4e83-928b-19f954579f4d",
+ "id": "bundle--92c0d5f8-a4c1-48f6-9754-a7434ce37d94",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T19:00:16.899Z",
+ "modified": "2025-04-16T23:04:50.070Z",
"description": "Monitor application logs for new or unexpected devices or sessions on wireless networks.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab.json b/ics-attack/relationship/relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab.json
index 20888aa3c4..27417a028e 100644
--- a/ics-attack/relationship/relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab.json
+++ b/ics-attack/relationship/relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--89615b72-4421-40fa-8c83-3feb7ac42b0f",
+ "id": "bundle--4f4e40a3-23dc-4169-a335-cc1647ec9611",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab",
"created": "2023-10-02T20:22:25.770Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:22:25.770Z",
+ "modified": "2025-04-16T23:04:50.270Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d03de729-9235-4ceb-a1c0-935e2088020b.json b/ics-attack/relationship/relationship--d03de729-9235-4ceb-a1c0-935e2088020b.json
index 6efdf3a154..56be3704f3 100644
--- a/ics-attack/relationship/relationship--d03de729-9235-4ceb-a1c0-935e2088020b.json
+++ b/ics-attack/relationship/relationship--d03de729-9235-4ceb-a1c0-935e2088020b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--32b64a18-8037-47f6-a922-e3eab59808a5",
+ "id": "bundle--ebba4313-2c49-4841-b2bf-32e20aa9d91e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d03de729-9235-4ceb-a1c0-935e2088020b",
"created": "2023-09-28T21:29:12.533Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:29:12.533Z",
+ "modified": "2025-04-16T23:04:50.495Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json b/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json
index 99945b4e24..40cf49fd23 100644
--- a/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json
+++ b/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--cc86ff11-d88e-4057-8f0c-bf2947421c6c",
+ "id": "bundle--82bce08f-7d74-4b95-845e-54be0dae11f5",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--d08fdedd-12f6-4681-9167-70d070432dee",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--d08fdedd-12f6-4681-9167-70d070432dee",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.208Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:50.705Z",
"description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d1388bba-9869-4e3e-a6c9-430784ad924d.json b/ics-attack/relationship/relationship--d1388bba-9869-4e3e-a6c9-430784ad924d.json
index ac386e3833..0e55636f6d 100644
--- a/ics-attack/relationship/relationship--d1388bba-9869-4e3e-a6c9-430784ad924d.json
+++ b/ics-attack/relationship/relationship--d1388bba-9869-4e3e-a6c9-430784ad924d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--398fc1de-6e50-4284-9741-4bdc1785c72f",
+ "id": "bundle--dfc6c1f1-e464-41b5-8f2e-85202292caf6",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.267Z",
+ "modified": "2025-04-16T23:04:50.912Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), operators were shut out of their equipment either through the denial of peripheral use or the degradation of equipment. Operators were therefore unable to recover from the incident through their traditional means. Much of the power was restored manually. (Citation: Ukraine15 - EISAC - 201603)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json b/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json
index e5ce7a924e..62d2a507d0 100644
--- a/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json
+++ b/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--26e3c5bd-8f4d-4869-aac1-2ae4e2768efc",
+ "id": "bundle--a7dd3900-945d-4017-93ba-6b7a72b24ab4",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T13:53:55.028Z",
+ "modified": "2025-04-16T23:04:51.106Z",
"description": "Disable unnecessary legacy network protocols that may be used for AiTM if applicable.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json b/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json
index b728ba5d38..86ef4c5026 100644
--- a/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json
+++ b/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--014b6ade-3950-4bd6-88b6-bd2fc976385f",
+ "id": "bundle--55f14ae3-f449-49b3-af40-0da09e404c06",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--d1971b32-3a15-4544-9f36-80c05121deb6",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--d1971b32-3a15-4544-9f36-80c05121deb6",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.160Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:51.340Z",
"description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d1a97502-b41d-40a8-aff5-13367fefc642.json b/ics-attack/relationship/relationship--d1a97502-b41d-40a8-aff5-13367fefc642.json
index f938edc8cd..072f725bfb 100644
--- a/ics-attack/relationship/relationship--d1a97502-b41d-40a8-aff5-13367fefc642.json
+++ b/ics-attack/relationship/relationship--d1a97502-b41d-40a8-aff5-13367fefc642.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--671a19d9-7283-45dc-8077-0a5dd0d19f92",
+ "id": "bundle--15ad8e4f-8144-4d67-9906-853b275eada8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d1a97502-b41d-40a8-aff5-13367fefc642",
"created": "2023-09-28T21:21:45.003Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:21:45.003Z",
+ "modified": "2025-04-16T23:04:51.534Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json b/ics-attack/relationship/relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json
index d45b93865f..2cf3c87178 100644
--- a/ics-attack/relationship/relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json
+++ b/ics-attack/relationship/relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e70b8f93-2be6-49dc-a40c-f86758abe63c",
+ "id": "bundle--f5fb3596-5625-40b1-b214-928d6cd06b12",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896",
"created": "2023-09-29T16:28:52.111Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:28:52.111Z",
+ "modified": "2025-04-16T23:04:51.758Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json b/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json
index e04984315d..29f6e15105 100644
--- a/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json
+++ b/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--8ddc9ba0-7e4e-4384-af68-a476b45f99b2",
+ "id": "bundle--57716a9a-167e-47ba-84a7-d373ed4a13a2",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.086Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:51.970Z",
"description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848",
"target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d23fd724-563d-4f49-8bcd-09c653728cd3.json b/ics-attack/relationship/relationship--d23fd724-563d-4f49-8bcd-09c653728cd3.json
index c95abdbd04..87473dc743 100644
--- a/ics-attack/relationship/relationship--d23fd724-563d-4f49-8bcd-09c653728cd3.json
+++ b/ics-attack/relationship/relationship--d23fd724-563d-4f49-8bcd-09c653728cd3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ca70bdf8-c1b5-4049-9237-45fefac5018f",
+ "id": "bundle--b82187d1-0d29-44fd-b0b7-9406818cafee",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d23fd724-563d-4f49-8bcd-09c653728cd3",
"created": "2023-09-28T21:28:00.462Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:28:00.462Z",
+ "modified": "2025-04-16T23:04:52.170Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json b/ics-attack/relationship/relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json
index b1623447f2..c130a01ff0 100644
--- a/ics-attack/relationship/relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json
+++ b/ics-attack/relationship/relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e613d7c8-d5e2-4c82-a2ec-a91e04c3ff46",
+ "id": "bundle--e1ab9928-66ea-4768-ab06-5db7d6f8ca1e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242",
"created": "2023-09-28T19:53:20.304Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:53:20.304Z",
+ "modified": "2025-04-16T23:04:52.379Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d2a434c7-4428-435e-ae6b-e54012f29606.json b/ics-attack/relationship/relationship--d2a434c7-4428-435e-ae6b-e54012f29606.json
index 7b2d12ac75..93e3275fb5 100644
--- a/ics-attack/relationship/relationship--d2a434c7-4428-435e-ae6b-e54012f29606.json
+++ b/ics-attack/relationship/relationship--d2a434c7-4428-435e-ae6b-e54012f29606.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--67fb6e51-a784-4065-a231-8e762ea53b8c",
+ "id": "bundle--332ce4cc-7eea-44a4-8c9c-1e731216c07e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d2a434c7-4428-435e-ae6b-e54012f29606",
"created": "2023-09-25T20:43:52.987Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:43:52.987Z",
+ "modified": "2025-04-16T23:04:52.603Z",
"description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
"target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json b/ics-attack/relationship/relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json
index d72ade0f99..e51a1bd783 100644
--- a/ics-attack/relationship/relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json
+++ b/ics-attack/relationship/relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ce5f4dbc-25ea-49e0-9c11-98d313798626",
+ "id": "bundle--1d636349-60aa-4701-8ec3-a5536b9bee95",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af",
"created": "2022-09-27T16:08:15.473Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T16:08:15.473Z",
+ "modified": "2025-04-16T23:04:52.871Z",
"description": "Monitor device application logs that indicate the program has changed, although not all devices produce such logs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json b/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json
index e993aac226..1b6a87d012 100644
--- a/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json
+++ b/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--584b7e7e-6746-44f2-a6fb-a91cd9b8eb88",
+ "id": "bundle--4e35778b-d162-44d1-a5ca-39070f35be68",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T16:32:31.072Z",
+ "modified": "2025-04-16T23:04:53.064Z",
"description": "[OilRig](https://attack.mitre.org/groups/G0049) communicated with its command and control using HTTP requests. (Citation: Robert Falcone, Bryan Lee May 2016)",
"relationship_type": "uses",
"source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999.json b/ics-attack/relationship/relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999.json
index 7a4f21839a..722744addb 100644
--- a/ics-attack/relationship/relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999.json
+++ b/ics-attack/relationship/relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f1476e19-e1cd-494f-9f48-226c46bdfab5",
+ "id": "bundle--3f6e3c8d-5c56-423b-bf07-973f45c56b79",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999",
"created": "2023-09-29T18:49:54.378Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:49:54.378Z",
+ "modified": "2025-04-16T23:04:53.274Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72.json b/ics-attack/relationship/relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72.json
index 1b98ee51f0..4e66592d9b 100644
--- a/ics-attack/relationship/relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72.json
+++ b/ics-attack/relationship/relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ff3f2d81-066d-44a4-9466-975f649f32cf",
+ "id": "bundle--8bc7eb72-a7a8-47d6-b255-bbc1a22c9f14",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72",
"created": "2023-09-28T19:38:27.199Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:38:27.199Z",
+ "modified": "2025-04-16T23:04:53.470Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d3717846-eaab-4fde-99f6-a972dec9323b.json b/ics-attack/relationship/relationship--d3717846-eaab-4fde-99f6-a972dec9323b.json
index 7623465c72..3f7626824e 100644
--- a/ics-attack/relationship/relationship--d3717846-eaab-4fde-99f6-a972dec9323b.json
+++ b/ics-attack/relationship/relationship--d3717846-eaab-4fde-99f6-a972dec9323b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--037d2db2-d850-4b8e-9220-faf73dad799a",
+ "id": "bundle--5ed37136-e506-4094-9aea-a1774efaa8b2",
"spec_version": "2.0",
"objects": [
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-10T16:02:58.250Z",
+ "modified": "2025-04-16T22:49:21.362Z",
"description": "(Citation: Mandiant-Sandworm-Ukraine-2022)(Citation: Dragos-Sandworm-Ukraine-2022) ",
"relationship_type": "attributed-to",
"source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d",
"target_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json b/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json
index 45adb483d4..01817991a7 100644
--- a/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json
+++ b/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--abd58223-0282-4003-967e-6b9d45216557",
+ "id": "bundle--5038868e-099c-44e4-b399-c69932e23cec",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.227Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:53.798Z",
"description": "Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d3d4f469-9847-41ef-a478-5eaf6003d483.json b/ics-attack/relationship/relationship--d3d4f469-9847-41ef-a478-5eaf6003d483.json
index 425dcc614c..dd259e872f 100644
--- a/ics-attack/relationship/relationship--d3d4f469-9847-41ef-a478-5eaf6003d483.json
+++ b/ics-attack/relationship/relationship--d3d4f469-9847-41ef-a478-5eaf6003d483.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4266dafe-13ae-4675-bbff-96344e4b4873",
+ "id": "bundle--b423e9e5-e200-44fa-a220-8c6419a6d9ba",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d3d4f469-9847-41ef-a478-5eaf6003d483",
"created": "2023-10-02T20:23:00.405Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:23:00.405Z",
+ "modified": "2025-04-16T23:04:53.992Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c.json b/ics-attack/relationship/relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c.json
index b67b0657a4..773e8502fa 100644
--- a/ics-attack/relationship/relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c.json
+++ b/ics-attack/relationship/relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c7709f2e-d0b7-4220-bd9c-1693fdd6f4f3",
+ "id": "bundle--6d737cdc-ea8b-4326-b477-d315e7aa4871",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:49:29.157Z",
+ "modified": "2025-04-16T23:04:54.193Z",
"description": "Monitor asset log which may provide information that an asset has been placed into Firmware Update Mode. Some assets may log firmware updates themselves without logging that the device has been placed into update mode.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d455330d-f190-4854-8087-4c2c37003b45.json b/ics-attack/relationship/relationship--d455330d-f190-4854-8087-4c2c37003b45.json
index a3ea671b1d..f040e6c83d 100644
--- a/ics-attack/relationship/relationship--d455330d-f190-4854-8087-4c2c37003b45.json
+++ b/ics-attack/relationship/relationship--d455330d-f190-4854-8087-4c2c37003b45.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a05e871c-459d-4374-a8b1-d7652dbe7551",
+ "id": "bundle--a8c15b3f-b851-4cab-a231-36e70ebe5b2b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d455330d-f190-4854-8087-4c2c37003b45",
"created": "2023-09-29T17:39:29.897Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:39:29.897Z",
+ "modified": "2025-04-16T23:04:54.422Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d48894cb-457e-4a81-82b4-2d735aea5128.json b/ics-attack/relationship/relationship--d48894cb-457e-4a81-82b4-2d735aea5128.json
index 15049efe43..2131405fd8 100644
--- a/ics-attack/relationship/relationship--d48894cb-457e-4a81-82b4-2d735aea5128.json
+++ b/ics-attack/relationship/relationship--d48894cb-457e-4a81-82b4-2d735aea5128.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--38dd6110-edd0-4223-89f7-c577894f90e8",
+ "id": "bundle--851869fc-7835-4779-88f9-d818a69eeb49",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d48894cb-457e-4a81-82b4-2d735aea5128",
"created": "2023-09-28T19:50:56.496Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:50:56.496Z",
+ "modified": "2025-04-16T23:04:54.613Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json b/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json
index eee904968f..fd42c6fc91 100644
--- a/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json
+++ b/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json
@@ -1,14 +1,11 @@
{
"type": "bundle",
- "id": "bundle--bb821000-a960-4d33-b55a-82e82865ca4a",
+ "id": "bundle--23a0b909-bc14-40f9-8bdd-555140c97bf7",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "relationship--d4968f45-d06b-4843-8f72-6e08beb94cab",
"type": "relationship",
+ "id": "relationship--d4968f45-d06b-4843-8f72-6e08beb94cab",
"created": "2017-05-31T21:33:27.070Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
@@ -19,17 +16,20 @@
},
{
"source_name": "Gigamon Berserk Bear October 2021",
- "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf",
- "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."
+ "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.",
+ "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf"
}
],
- "modified": "2021-12-07T18:39:07.922Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T22:49:38.176Z",
"description": "(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)",
"relationship_type": "uses",
"source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974",
- "x_mitre_version": "1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d4da5e90-7986-4c8a-bfb6-df4c0586ce87.json b/ics-attack/relationship/relationship--d4da5e90-7986-4c8a-bfb6-df4c0586ce87.json
index d1e02fc488..54d8d5217f 100644
--- a/ics-attack/relationship/relationship--d4da5e90-7986-4c8a-bfb6-df4c0586ce87.json
+++ b/ics-attack/relationship/relationship--d4da5e90-7986-4c8a-bfb6-df4c0586ce87.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--25db1faa-76e3-45f4-bfdc-f88bdf16e65a",
+ "id": "bundle--bb8fe732-e950-47c0-848d-9d2741e196b4",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-17T15:20:33.849Z",
+ "modified": "2025-04-16T23:04:54.925Z",
"description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used existing hypervisor access to map an ISO image named `a.iso` to a virtual machine running a SCADA server. The SCADA server\u2019s operating system was configured to autorun CD-ROM images, and as a result, a malicious VBS script on the ISO image was automatically executed.(Citation: Mandiant-Sandworm-Ukraine-2022)",
"relationship_type": "uses",
"source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d",
"target_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json b/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json
index 3294f565d4..4268864cd3 100644
--- a/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json
+++ b/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--bf211c8e-d366-4d1b-92da-4f8b1976f057",
+ "id": "bundle--c153dccd-ee33-4ee7-99fe-52415039eb13",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:32:23.717Z",
+ "modified": "2025-04-16T23:04:55.118Z",
"description": "[WannaCry](https://attack.mitre.org/software/S0366) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)",
"relationship_type": "uses",
"source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d58d8b19-90bc-4a7f-840d-076be296ff20.json b/ics-attack/relationship/relationship--d58d8b19-90bc-4a7f-840d-076be296ff20.json
index 969cf2bc0d..4b2244445b 100644
--- a/ics-attack/relationship/relationship--d58d8b19-90bc-4a7f-840d-076be296ff20.json
+++ b/ics-attack/relationship/relationship--d58d8b19-90bc-4a7f-840d-076be296ff20.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--eae9e3dc-4384-418a-9d64-1ac947d402fc",
+ "id": "bundle--5dd3d5b0-c400-4f85-b7f5-7d76a106aec3",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d58d8b19-90bc-4a7f-840d-076be296ff20",
"created": "2023-09-29T17:09:01.803Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:09:01.803Z",
+ "modified": "2025-04-16T23:04:55.324Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json b/ics-attack/relationship/relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json
index 4f2a7fccb8..196b34fa79 100644
--- a/ics-attack/relationship/relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json
+++ b/ics-attack/relationship/relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c84648f5-0b9c-40d4-949b-3273cb00da73",
+ "id": "bundle--751bf1e2-380e-4598-8055-0f3ef012f467",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a",
"created": "2023-09-28T19:43:49.584Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:43:49.584Z",
+ "modified": "2025-04-16T23:04:55.515Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json b/ics-attack/relationship/relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json
index 15838251be..6c7ffc78cb 100644
--- a/ics-attack/relationship/relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json
+++ b/ics-attack/relationship/relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--de1bca49-7535-46ea-9f61-110d47a82e9e",
+ "id": "bundle--57b567d3-2d94-4993-b1f0-f60ce0c44fe2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d",
"created": "2023-09-29T17:38:17.313Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:38:17.313Z",
+ "modified": "2025-04-16T23:04:55.721Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0.json b/ics-attack/relationship/relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0.json
index bce840ce54..d7843120f5 100644
--- a/ics-attack/relationship/relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0.json
+++ b/ics-attack/relationship/relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a1d50fbb-8edb-49d1-9007-8c6a4c19ab01",
+ "id": "bundle--1b9a1a4f-bfeb-4d8c-8ad0-27ab38d63e60",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0",
"created": "2023-09-29T17:08:23.682Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:08:23.682Z",
+ "modified": "2025-04-16T23:04:55.928Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d648b3c7-77d2-42f3-a367-620621b714ab.json b/ics-attack/relationship/relationship--d648b3c7-77d2-42f3-a367-620621b714ab.json
index ae63bdeb70..60373b8f5a 100644
--- a/ics-attack/relationship/relationship--d648b3c7-77d2-42f3-a367-620621b714ab.json
+++ b/ics-attack/relationship/relationship--d648b3c7-77d2-42f3-a367-620621b714ab.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--47cfd4fe-460a-4c1b-ba2f-6ad218b65b37",
+ "id": "bundle--83e4cd48-968d-4198-ace0-38a8d5785899",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d648b3c7-77d2-42f3-a367-620621b714ab",
"created": "2023-09-28T21:11:29.314Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:11:29.314Z",
+ "modified": "2025-04-16T23:04:56.117Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d67ae959-9014-4501-b963-42bee03a5e3b.json b/ics-attack/relationship/relationship--d67ae959-9014-4501-b963-42bee03a5e3b.json
index e587e21dab..2675a0ba0a 100644
--- a/ics-attack/relationship/relationship--d67ae959-9014-4501-b963-42bee03a5e3b.json
+++ b/ics-attack/relationship/relationship--d67ae959-9014-4501-b963-42bee03a5e3b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d413de50-e29f-4d6d-8d8b-27c71e679b64",
+ "id": "bundle--d9e6d9b2-9367-431c-95ad-3b7dd4319193",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-15T21:12:52.735Z",
+ "modified": "2025-04-16T23:04:56.322Z",
"description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) caused multiple businesses to halt operations in their industrial environments, impacting their typical business operations. These victims covered multiple sectors.(Citation: Jamie Tarabay and Katrina Manson December 2023)",
"relationship_type": "uses",
"source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de",
"target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json b/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json
index da765c0544..e2ca6c05e4 100644
--- a/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json
+++ b/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--f059c862-fc7e-43c1-9903-1fbb62d16cdc",
+ "id": "bundle--a0c2a39c-aeba-4e0a-9b73-46f50a3956fd",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.209Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:56.527Z",
"description": "When available utilize hardware and software root-of-trust to verify the authenticity of a system. This may be achieved through cryptographic means, such as digital signatures or hashes, of critical software and firmware throughout the supply chain.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a",
"target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json b/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json
index a14def697a..a077d88e1f 100644
--- a/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json
+++ b/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--734850b3-08e4-4fb4-af07-0824bb8be417",
+ "id": "bundle--4f0b7c1c-ce49-4d87-8693-aaf73b6c588f",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:31:22.665Z",
+ "modified": "2025-04-16T23:04:56.745Z",
"description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json b/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json
index f8bb6c8b61..ef33f7797a 100644
--- a/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json
+++ b/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--77ab4a62-6f44-48b0-95b8-c909b0f04641",
+ "id": "bundle--fe5f2c83-b47e-4ee5-a67b-e17666e52e3e",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:28:23.911Z",
+ "modified": "2025-04-16T23:04:56.942Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes. (Citation: Jos Wetzels January 2018)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de.json b/ics-attack/relationship/relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de.json
index 8aaf90bbdd..1ba7baea8c 100644
--- a/ics-attack/relationship/relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de.json
+++ b/ics-attack/relationship/relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4e71ee6e-a81b-4987-9477-be6acfb319b0",
+ "id": "bundle--a6e0873a-7e21-433c-917b-b872f0be3ace",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de",
"created": "2023-09-29T18:48:41.176Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:48:41.176Z",
+ "modified": "2025-04-16T23:04:57.155Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5.json b/ics-attack/relationship/relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5.json
index 5f55097be2..2199f0068a 100644
--- a/ics-attack/relationship/relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5.json
+++ b/ics-attack/relationship/relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--63e69d89-1094-46f2-b7ff-53c51c712aff",
+ "id": "bundle--885d3c22-8e98-49bb-8828-b806c72ee2d1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5",
"created": "2023-09-28T20:29:50.745Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:29:50.745Z",
+ "modified": "2025-04-16T23:04:57.388Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json b/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json
index 9be2d7aad9..afd9080ec8 100644
--- a/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json
+++ b/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--672ba039-19a9-4c71-948d-5b64dc0c9d2d",
+ "id": "bundle--359b76eb-8ec5-459d-8392-036cff632d16",
"spec_version": "2.0",
"objects": [
{
@@ -11,23 +11,22 @@
"revoked": false,
"external_references": [
{
- "source_name": "Marc-Etienne M.Lveill October 2017",
- "description": "Marc-Etienne M.Lveill 2017, October 24 Bad Rabbit: NotPetya is back with improved ransomware Retrieved. 2019/10/27 ",
+ "source_name": "ESET Bad Rabbit",
+ "description": "M.L\u00e9veille, M-E.. (2017, October 24). Bad Rabbit: Not\u2011Petya is back with improved ransomware. Retrieved January 28, 2021.",
"url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:31:02.075Z",
- "description": "Several transportation organizations in Ukraine have suffered from being infected by [Bad Rabbit](https://attack.mitre.org/software/S0606), resulting in some computers becoming encrypted, according to media reports. (Citation: Marc-Etienne M.Lveill October 2017)",
+ "modified": "2025-04-16T23:04:57.606Z",
+ "description": "Several transportation organizations in Ukraine have suffered from being infected by [Bad Rabbit](https://attack.mitre.org/software/S0606), resulting in some computers becoming encrypted, according to media reports. (Citation: ESET Bad Rabbit)",
"relationship_type": "uses",
"source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a",
"target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json b/ics-attack/relationship/relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json
index 78f16c8d9a..a03f05a4a3 100644
--- a/ics-attack/relationship/relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json
+++ b/ics-attack/relationship/relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d39603dc-17f1-4df8-aa7e-eae6fcb4b19c",
+ "id": "bundle--93b3ed6c-a361-4ddc-b80a-61e71e95127d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18",
"created": "2023-09-29T16:46:01.992Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:46:01.992Z",
+ "modified": "2025-04-16T23:04:57.843Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json b/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json
index 64098821c1..27a7f2f039 100644
--- a/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json
+++ b/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--91986e00-e2a9-4028-9050-08bb8cddc633",
+ "id": "bundle--d13ff837-fb76-4390-85e8-1cf5ea28fea3",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:28:39.359Z",
+ "modified": "2025-04-16T23:04:58.054Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json b/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json
index 118c863717..7d67231ce7 100644
--- a/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json
+++ b/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a5720961-7875-41b3-b5b2-0142b41d742a",
+ "id": "bundle--05a492d4-d55e-4546-bab6-b03f6581bed8",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:24:28.935Z",
+ "modified": "2025-04-16T23:04:58.274Z",
"description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
"target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json b/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json
index 700e0fee9e..19ef43123d 100644
--- a/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json
+++ b/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4dfe9540-94fa-4358-865e-fc49f032a769",
+ "id": "bundle--d5358e42-bc1a-4e61-a471-93887b3390e3",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.447Z",
+ "modified": "2025-04-16T23:04:58.493Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can deploy Tcpdump to sniff network traffic and collect PCAP files.(Citation: Wylie-22) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json b/ics-attack/relationship/relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json
index 221b109857..c8675d6b68 100644
--- a/ics-attack/relationship/relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json
+++ b/ics-attack/relationship/relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a11c5896-b89c-441c-94d3-d4236061a1cb",
+ "id": "bundle--29d2592d-7c3a-4427-898a-b2ea5e65ff1e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa",
"created": "2023-09-28T21:14:51.778Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:14:51.778Z",
+ "modified": "2025-04-16T23:04:58.678Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json b/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json
index 752aa39ccf..e555b85ffb 100644
--- a/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json
+++ b/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--44b35c22-22fa-4c65-9a3b-928ad4e2f34b",
+ "id": "bundle--30e9c32d-fea1-4d5a-bad5-ddd09cf819d7",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--d8f45959-e0fc-4b4f-a074-a3acea926300",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--d8f45959-e0fc-4b4f-a074-a3acea926300",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.194Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:04:58.883Z",
"description": "Consider the disabling of features such as AutoRun.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7",
"target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d8f95008-33c9-4572-9916-023d8de449b1.json b/ics-attack/relationship/relationship--d8f95008-33c9-4572-9916-023d8de449b1.json
index 510a9e2fae..3aa579acf9 100644
--- a/ics-attack/relationship/relationship--d8f95008-33c9-4572-9916-023d8de449b1.json
+++ b/ics-attack/relationship/relationship--d8f95008-33c9-4572-9916-023d8de449b1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--01c9cfda-f774-410e-b2c5-f702377f3c08",
+ "id": "bundle--2d277e96-f58e-4b83-9321-def43fa05042",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d8f95008-33c9-4572-9916-023d8de449b1",
"created": "2023-09-29T18:04:16.785Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:04:16.785Z",
+ "modified": "2025-04-16T23:04:59.116Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json b/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json
index 2d0143349b..d235c60d7d 100644
--- a/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json
+++ b/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--4b5051dc-b3af-4da6-aabc-f444aa69a2fe",
+ "id": "bundle--3a2775e7-7dd0-4bab-a0bf-829362bca191",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:23:33.379Z",
+ "modified": "2025-04-16T23:04:59.321Z",
"description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. (Citation: ICS-CERT August 2018)",
"relationship_type": "uses",
"source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974",
"target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d90b1271-a90d-41c7-9df7-bec47880c82e.json b/ics-attack/relationship/relationship--d90b1271-a90d-41c7-9df7-bec47880c82e.json
index 43eafd91e1..5184390d71 100644
--- a/ics-attack/relationship/relationship--d90b1271-a90d-41c7-9df7-bec47880c82e.json
+++ b/ics-attack/relationship/relationship--d90b1271-a90d-41c7-9df7-bec47880c82e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--85c7ddf5-7422-4eca-89a7-155d84d96935",
+ "id": "bundle--36f47b69-5287-417e-b095-0f6f7de06d0a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d90b1271-a90d-41c7-9df7-bec47880c82e",
"created": "2022-09-27T15:33:46.485Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T15:33:46.485Z",
+ "modified": "2025-04-16T23:04:59.520Z",
"description": "Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host\u2019s GUI.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5",
"target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json b/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json
index e363fdd81d..c3483f995f 100644
--- a/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json
+++ b/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0d91c921-8245-47f2-a1b5-39136297c592",
+ "id": "bundle--de5fbfb7-e1a4-40cc-9a4d-ec84dbb35030",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:35:32.480Z",
+ "modified": "2025-04-16T23:04:59.761Z",
"description": "[BlackEnergy](https://attack.mitre.org/software/S0089) targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. (Citation: Booz Allen Hamilton)\n",
"relationship_type": "uses",
"source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d96788b4-55dd-48df-bb9b-83b33ca24813.json b/ics-attack/relationship/relationship--d96788b4-55dd-48df-bb9b-83b33ca24813.json
index 1f03189774..fe5f92c9c9 100644
--- a/ics-attack/relationship/relationship--d96788b4-55dd-48df-bb9b-83b33ca24813.json
+++ b/ics-attack/relationship/relationship--d96788b4-55dd-48df-bb9b-83b33ca24813.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--519f95ff-2fee-45f4-89ba-836d8b617e84",
+ "id": "bundle--46a4e227-cad3-4779-9ab9-434ac9f68f96",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d96788b4-55dd-48df-bb9b-83b33ca24813",
"created": "2023-09-28T19:55:22.376Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:55:22.376Z",
+ "modified": "2025-04-16T23:04:59.970Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d9de58a6-58fd-499c-ba7d-588239297179.json b/ics-attack/relationship/relationship--d9de58a6-58fd-499c-ba7d-588239297179.json
index 2337f64e60..227d5ecc67 100644
--- a/ics-attack/relationship/relationship--d9de58a6-58fd-499c-ba7d-588239297179.json
+++ b/ics-attack/relationship/relationship--d9de58a6-58fd-499c-ba7d-588239297179.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--992d597b-57c8-4132-9181-5fef17efa620",
+ "id": "bundle--84a46a81-faf0-4fd7-b75c-67f4717af76b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d9de58a6-58fd-499c-ba7d-588239297179",
"created": "2023-09-29T16:42:31.464Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:42:31.464Z",
+ "modified": "2025-04-16T23:05:00.181Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json b/ics-attack/relationship/relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json
index c1e2ad7180..1900368eb1 100644
--- a/ics-attack/relationship/relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json
+++ b/ics-attack/relationship/relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c61b4278-38cf-4b40-ab46-226c9c701fa5",
+ "id": "bundle--d09d6414-3acd-4973-be8c-a2fa76a4436d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5",
"created": "2023-09-28T19:51:11.687Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:51:11.687Z",
+ "modified": "2025-04-16T23:05:00.416Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a.json b/ics-attack/relationship/relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a.json
index a65a0ebae5..d0b94f40c2 100644
--- a/ics-attack/relationship/relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a.json
+++ b/ics-attack/relationship/relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--fccca3c2-d636-480c-8113-bbdc76b82183",
+ "id": "bundle--01c0e6a0-04df-4ebe-9fb9-a27b7eae245e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a",
"created": "2023-09-29T16:42:53.226Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:42:53.226Z",
+ "modified": "2025-04-16T23:05:00.613Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0.json b/ics-attack/relationship/relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0.json
index 4c969f649c..527398da62 100644
--- a/ics-attack/relationship/relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0.json
+++ b/ics-attack/relationship/relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--4e09a385-d7c0-4e51-9a1f-381c241e61f4",
+ "id": "bundle--c6901669-6c69-462e-b5a1-33b724a5d428",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0",
"created": "2023-09-29T18:06:57.332Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:06:57.332Z",
+ "modified": "2025-04-16T23:05:00.816Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--da987131-bf37-4730-9914-323879d2b5c3.json b/ics-attack/relationship/relationship--da987131-bf37-4730-9914-323879d2b5c3.json
index 893b44f189..061065fa5f 100644
--- a/ics-attack/relationship/relationship--da987131-bf37-4730-9914-323879d2b5c3.json
+++ b/ics-attack/relationship/relationship--da987131-bf37-4730-9914-323879d2b5c3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a39f7d05-8821-4dc4-8614-28e4d9fb98e4",
+ "id": "bundle--feeb69de-5c2d-4dd2-bed3-7c0733ef95dc",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--da987131-bf37-4730-9914-323879d2b5c3",
"created": "2023-09-28T20:34:11.025Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:34:11.025Z",
+ "modified": "2025-04-16T23:05:01.013Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json b/ics-attack/relationship/relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json
index 6ab583e9ba..50434260e2 100644
--- a/ics-attack/relationship/relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json
+++ b/ics-attack/relationship/relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6af68d6f-e2b9-40b2-9774-8c40f4d788ad",
+ "id": "bundle--c0729e0c-220f-4412-a612-dc112829aaca",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8",
"created": "2023-09-28T19:44:22.801Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:44:22.801Z",
+ "modified": "2025-04-16T23:05:01.207Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json b/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json
index 8bd4d61c13..e9893706c1 100644
--- a/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json
+++ b/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--78a56a8a-853d-442a-886d-c29dc9c5c7b2",
+ "id": "bundle--4100f85e-2596-48f6-9002-b88835054330",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:42:28.053Z",
+ "modified": "2025-04-16T23:05:01.406Z",
"description": "Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--db46e84f-435e-4022-b484-e6d2e253660c.json b/ics-attack/relationship/relationship--db46e84f-435e-4022-b484-e6d2e253660c.json
index 65c33d8569..4526dea100 100644
--- a/ics-attack/relationship/relationship--db46e84f-435e-4022-b484-e6d2e253660c.json
+++ b/ics-attack/relationship/relationship--db46e84f-435e-4022-b484-e6d2e253660c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a59fd863-e9c8-44aa-98d4-ab39e3c48cdf",
+ "id": "bundle--9f1c7d29-7ba0-4757-a1fe-5eee31ce77d7",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--db46e84f-435e-4022-b484-e6d2e253660c",
"created": "2023-09-29T18:06:13.468Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:06:13.468Z",
+ "modified": "2025-04-16T23:05:01.600Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json b/ics-attack/relationship/relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json
index 1e83b7710e..003c3b6adc 100644
--- a/ics-attack/relationship/relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json
+++ b/ics-attack/relationship/relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c5cc335f-f103-4a77-bd7f-34dfe6c053a1",
+ "id": "bundle--99bcb893-ac20-46c2-aac7-6e60df397148",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a",
"created": "2022-09-30T15:34:29.316Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-30T15:34:29.316Z",
+ "modified": "2025-04-16T23:05:01.820Z",
"description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dbcc492c-782e-4418-8373-dbc7a76498b0.json b/ics-attack/relationship/relationship--dbcc492c-782e-4418-8373-dbc7a76498b0.json
index 4365b2ed4a..82ebe86752 100644
--- a/ics-attack/relationship/relationship--dbcc492c-782e-4418-8373-dbc7a76498b0.json
+++ b/ics-attack/relationship/relationship--dbcc492c-782e-4418-8373-dbc7a76498b0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d67a6fd4-afa3-4e27-a01c-854e4f5a3d14",
+ "id": "bundle--16158972-4e64-4e43-9cb1-36100305482a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--dbcc492c-782e-4418-8373-dbc7a76498b0",
"created": "2023-09-29T17:45:35.293Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:45:35.293Z",
+ "modified": "2025-04-16T23:05:02.024Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json b/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json
index 1fa6c7d91b..eeb5f4f631 100644
--- a/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json
+++ b/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--7fd10c2f-fd9a-4c15-85e3-a5711fcf0b24",
+ "id": "bundle--a6534f83-b0fe-47b6-ae0b-23536da21b36",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.170Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:02.225Z",
"description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json b/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json
index ea6b43f9ea..ae001d7966 100644
--- a/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json
+++ b/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c861ee06-f9a9-459b-803e-ded77e91f3d7",
+ "id": "bundle--019e34c0-8782-4041-a82d-dcc885113cf3",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-17T16:45:08.648Z",
+ "modified": "2025-04-16T23:05:02.424Z",
"description": "Use strong multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials. Be aware of multi-factor authentication interception techniques for some implementations.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd",
"target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json b/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json
index 6cc6489d87..4c2eddd38f 100644
--- a/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json
+++ b/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--2d2225fe-c5af-49ee-84be-c630f5b77dac",
+ "id": "bundle--751c3b8f-0ea7-4f11-a44e-87e5a7e2cdb5",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.218Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:02.622Z",
"description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f.json b/ics-attack/relationship/relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f.json
index 28cb054d80..2c7610e458 100644
--- a/ics-attack/relationship/relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f.json
+++ b/ics-attack/relationship/relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--842c5a38-c337-42ef-ac59-ab2c9b1ceab9",
+ "id": "bundle--f66c9568-b64b-4881-bf25-3e56c4e8209d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f",
"created": "2023-09-29T18:06:35.470Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:06:35.470Z",
+ "modified": "2025-04-16T23:05:02.821Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dda29418-9570-405a-b7db-97e951e5aa53.json b/ics-attack/relationship/relationship--dda29418-9570-405a-b7db-97e951e5aa53.json
index 0a5684dfd0..94077c3438 100644
--- a/ics-attack/relationship/relationship--dda29418-9570-405a-b7db-97e951e5aa53.json
+++ b/ics-attack/relationship/relationship--dda29418-9570-405a-b7db-97e951e5aa53.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b25811c7-2920-461c-9398-9a1cb2772480",
+ "id": "bundle--6b723d6e-7ddd-46cf-b6b3-d6f0f1a57436",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:35:58.409Z",
+ "modified": "2025-04-16T23:05:03.016Z",
"description": "Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json b/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json
index 573d79f29d..03a4743ddb 100644
--- a/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json
+++ b/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--33ceb0c5-506a-4eed-8f7d-41687209b771",
+ "id": "bundle--60425c14-0caa-4d5f-9943-1b54117a398b",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-19T21:23:40.524Z",
+ "modified": "2025-04-16T23:05:03.230Z",
"description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a",
"target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json b/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json
index 18f90ca12d..010d6e694b 100644
--- a/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json
+++ b/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--f2e5b55c-1703-499f-bab3-b89bb8f0449e",
+ "id": "bundle--91362a4d-8cfc-4a28-9403-7950ea90acc8",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--dded2d68-35c7-42c4-af10-efe7731673e3",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--dded2d68-35c7-42c4-af10-efe7731673e3",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.108Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:03.436Z",
"description": "All APIs on remote systems or local processes should require the authentication of users before executing any code or system changes.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--de8b8a69-5f08-421a-96f0-2bed5707508d.json b/ics-attack/relationship/relationship--de8b8a69-5f08-421a-96f0-2bed5707508d.json
index 1633d0ef12..4c3822404c 100644
--- a/ics-attack/relationship/relationship--de8b8a69-5f08-421a-96f0-2bed5707508d.json
+++ b/ics-attack/relationship/relationship--de8b8a69-5f08-421a-96f0-2bed5707508d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e715852c-37b8-4125-9b99-696be93d0165",
+ "id": "bundle--9055c3c3-822d-4686-b63a-4f5dcde4d7eb",
"spec_version": "2.0",
"objects": [
{
@@ -12,8 +12,8 @@
"external_references": [
{
"source_name": "Nzyme Alerts Intro",
- "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.",
- "url": "https://www.nzyme.org/docs/alerts/intro"
+ "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved November 17, 2024.",
+ "url": "https://docs.nzyme.org/wifi/monitoring/network-monitoring/"
},
{
"source_name": "Wireless Intrusion Detection",
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T18:57:13.322Z",
+ "modified": "2025-04-16T23:05:03.637Z",
"description": "New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dead5325-7efe-4dcc-bf78-42b9190f74da.json b/ics-attack/relationship/relationship--dead5325-7efe-4dcc-bf78-42b9190f74da.json
index 711e227cf5..4afbc41b57 100644
--- a/ics-attack/relationship/relationship--dead5325-7efe-4dcc-bf78-42b9190f74da.json
+++ b/ics-attack/relationship/relationship--dead5325-7efe-4dcc-bf78-42b9190f74da.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f833f6ac-b8dd-4e03-8196-e98d035226f4",
+ "id": "bundle--83597641-9934-4457-83f0-efc9dcebed90",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--dead5325-7efe-4dcc-bf78-42b9190f74da",
"created": "2023-09-29T16:46:40.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:46:40.272Z",
+ "modified": "2025-04-16T23:05:03.868Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--deb83319-bc5a-4b9b-a44a-bd369b899601.json b/ics-attack/relationship/relationship--deb83319-bc5a-4b9b-a44a-bd369b899601.json
index 83b5be2574..1d2ffb9779 100644
--- a/ics-attack/relationship/relationship--deb83319-bc5a-4b9b-a44a-bd369b899601.json
+++ b/ics-attack/relationship/relationship--deb83319-bc5a-4b9b-a44a-bd369b899601.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f1949fa3-fb83-4307-be96-c088aa42011d",
+ "id": "bundle--4a6460b5-cf61-4010-89e1-d536c5fd24ea",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--deb83319-bc5a-4b9b-a44a-bd369b899601",
"created": "2024-03-25T20:18:12.056Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-25T20:18:12.056Z",
+ "modified": "2025-04-16T23:05:04.076Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--def57041-6bb4-453a-bf04-188b9e97a35d.json b/ics-attack/relationship/relationship--def57041-6bb4-453a-bf04-188b9e97a35d.json
index b015421463..0971388663 100644
--- a/ics-attack/relationship/relationship--def57041-6bb4-453a-bf04-188b9e97a35d.json
+++ b/ics-attack/relationship/relationship--def57041-6bb4-453a-bf04-188b9e97a35d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6bf762ca-b63e-46f8-9bfa-9c0ec6f3d179",
+ "id": "bundle--ea3d955a-ad5f-4a7b-8113-8875f1f0d04b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--def57041-6bb4-453a-bf04-188b9e97a35d",
"created": "2023-09-28T21:26:34.603Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:26:34.603Z",
+ "modified": "2025-04-16T23:05:04.312Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--df321d74-25d6-42da-80e8-3c9a291cb471.json b/ics-attack/relationship/relationship--df321d74-25d6-42da-80e8-3c9a291cb471.json
index e9849c5cb0..5bfeeebe56 100644
--- a/ics-attack/relationship/relationship--df321d74-25d6-42da-80e8-3c9a291cb471.json
+++ b/ics-attack/relationship/relationship--df321d74-25d6-42da-80e8-3c9a291cb471.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7535f1f0-97e0-40ac-a730-fdc929331502",
+ "id": "bundle--145b2c6b-4b04-43a8-b76c-9c0c4178a539",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--df321d74-25d6-42da-80e8-3c9a291cb471",
"created": "2023-09-28T19:57:41.602Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:57:41.602Z",
+ "modified": "2025-04-16T23:05:04.505Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json b/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json
index 4655b30eb2..1f6423a2cf 100644
--- a/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json
+++ b/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9921e48b-5625-496a-af17-c391dca139b2",
+ "id": "bundle--62b20904-f44e-469b-8c77-48e58edd15e8",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T16:46:30.174Z",
+ "modified": "2025-04-16T23:05:04.722Z",
"description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a",
"target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--df7b521e-4496-432f-a61d-3094d0c7bc23.json b/ics-attack/relationship/relationship--df7b521e-4496-432f-a61d-3094d0c7bc23.json
index de49489d57..d6c9921c03 100644
--- a/ics-attack/relationship/relationship--df7b521e-4496-432f-a61d-3094d0c7bc23.json
+++ b/ics-attack/relationship/relationship--df7b521e-4496-432f-a61d-3094d0c7bc23.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3022b703-28e8-4760-a3fa-f97c34631b68",
+ "id": "bundle--3dc6385d-a160-498b-a684-ca7a5b9b55ba",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--df7b521e-4496-432f-a61d-3094d0c7bc23",
"created": "2023-09-29T17:58:26.994Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:58:26.994Z",
+ "modified": "2025-04-16T23:05:04.930Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--df80e2b6-5672-4f26-a19c-a394f3731f24.json b/ics-attack/relationship/relationship--df80e2b6-5672-4f26-a19c-a394f3731f24.json
index 5461e901cf..74b2255bcf 100644
--- a/ics-attack/relationship/relationship--df80e2b6-5672-4f26-a19c-a394f3731f24.json
+++ b/ics-attack/relationship/relationship--df80e2b6-5672-4f26-a19c-a394f3731f24.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--169c0419-4bc2-42b4-9d6c-1f83e0fd3ee0",
+ "id": "bundle--54762ec2-e1df-4020-a155-a4f27ced14ab",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--df80e2b6-5672-4f26-a19c-a394f3731f24",
"created": "2023-09-28T19:48:48.649Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:48:48.649Z",
+ "modified": "2025-04-16T23:05:05.126Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--df88d021-cb8e-482d-9260-445d0a0244ac.json b/ics-attack/relationship/relationship--df88d021-cb8e-482d-9260-445d0a0244ac.json
index befcdeb88c..13903b1ac9 100644
--- a/ics-attack/relationship/relationship--df88d021-cb8e-482d-9260-445d0a0244ac.json
+++ b/ics-attack/relationship/relationship--df88d021-cb8e-482d-9260-445d0a0244ac.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1b3e7f7b-beee-49c8-aa0d-ab0342e3ef43",
+ "id": "bundle--fcdc0bd4-2bee-4cb1-a3df-418d7d792758",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-17T15:20:41.991Z",
+ "modified": "2025-04-16T23:05:05.322Z",
"description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged the SCIL-API on the MicroSCADA platform to execute commands through the `scilc.exe` binary.(Citation: Mandiant-Sandworm-Ukraine-2022)",
"relationship_type": "uses",
"source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d",
"target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--df95c619-33ee-4484-934a-78857717323e.json b/ics-attack/relationship/relationship--df95c619-33ee-4484-934a-78857717323e.json
index 247e2486db..d09509c7f9 100644
--- a/ics-attack/relationship/relationship--df95c619-33ee-4484-934a-78857717323e.json
+++ b/ics-attack/relationship/relationship--df95c619-33ee-4484-934a-78857717323e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ce658d92-69c4-4e9b-bc40-67334afe0914",
+ "id": "bundle--0e75d5e1-f7b0-4cc7-b2af-2f8da4554d2c",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T19:18:47.783Z",
+ "modified": "2025-04-16T23:05:05.514Z",
"description": "Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da.json b/ics-attack/relationship/relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da.json
index 5500bd7070..538c4e2d24 100644
--- a/ics-attack/relationship/relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da.json
+++ b/ics-attack/relationship/relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6b8ad7ee-96c8-43ed-891c-2f4f0dd02a61",
+ "id": "bundle--2d28cdbc-5af7-4c6c-8339-ea07f2754b78",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da",
"created": "2023-09-28T20:11:11.658Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:11:11.658Z",
+ "modified": "2025-04-16T23:05:05.761Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dfb20521-91c2-4f55-b92a-dab959759b78.json b/ics-attack/relationship/relationship--dfb20521-91c2-4f55-b92a-dab959759b78.json
index bdd3a706d9..cc4871261c 100644
--- a/ics-attack/relationship/relationship--dfb20521-91c2-4f55-b92a-dab959759b78.json
+++ b/ics-attack/relationship/relationship--dfb20521-91c2-4f55-b92a-dab959759b78.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--65fc4530-b8e5-4d4e-83b4-c9a66ef92cda",
+ "id": "bundle--2184221c-3657-40ca-a14d-a52045bb28b8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--dfb20521-91c2-4f55-b92a-dab959759b78",
"created": "2023-09-29T18:03:38.874Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:03:38.874Z",
+ "modified": "2025-04-16T23:05:05.955Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json b/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json
index fca9c6e895..44127d63d1 100644
--- a/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json
+++ b/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--29edfc39-ae64-4656-9162-59a188733576",
+ "id": "bundle--4642b8a8-007d-438d-a3ae-0f8df435de73",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb",
"created": "2022-04-15T22:05:32.209Z",
- "x_mitre_version": "0.1",
- "x_mitre_deprecated": false,
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T22:52:24.900Z",
"description": "",
- "modified": "2022-04-15T22:05:32.209Z",
"relationship_type": "revoked-by",
"source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71",
"target_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json b/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json
index 2d6193b0b2..72bfee44a6 100644
--- a/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json
+++ b/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--321f1d9c-62fc-4e55-a516-9af5e99b2b2c",
+ "id": "bundle--e12684e1-9b44-4953-be8b-dd50e23b45dc",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:23:18.048Z",
+ "modified": "2025-04-16T23:05:06.275Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json b/ics-attack/relationship/relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json
index 92b1c810de..886e8ec2e2 100644
--- a/ics-attack/relationship/relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json
+++ b/ics-attack/relationship/relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e6ae0bbf-8f28-428f-95d6-409eb11365db",
+ "id": "bundle--81a6c54c-6741-4e3a-98ab-e842b6806220",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:45:37.289Z",
+ "modified": "2025-04-16T23:05:06.485Z",
"description": "Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of [Valid Accounts](https://attack.mitre.org/techniques/T0859).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b",
"target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json b/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json
index 7b1110b4cf..4cb62693da 100644
--- a/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json
+++ b/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--ea8d779d-0f05-45c5-8788-19368e46d4fb",
+ "id": "bundle--11d99b3a-2da0-48b6-ba7f-fd1bb0049cc5",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.227Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:06.707Z",
"description": "Prevent the use of unsigned executables, such as installers and scripts.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca.json b/ics-attack/relationship/relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca.json
index e043ed32b2..49232e4b3a 100644
--- a/ics-attack/relationship/relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca.json
+++ b/ics-attack/relationship/relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e933a9bf-3601-40be-8e36-67ac2703d399",
+ "id": "bundle--bc1c2748-3e35-447d-920e-b19af42b8bf1",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:43:48.288Z",
+ "modified": "2025-04-16T23:05:06.940Z",
"description": "Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
"target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json b/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json
index 54054950ad..fd6baac0eb 100644
--- a/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json
+++ b/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--93b4bf98-b015-4ae7-ac41-93ecb4313765",
+ "id": "bundle--f58753df-3d49-407c-840e-5e66e28b2248",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:23:47.107Z",
+ "modified": "2025-04-16T23:05:07.176Z",
"description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through a trojanized installer attached to emails. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)",
"relationship_type": "uses",
"source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974",
"target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json b/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json
index 7400a38041..d318ffcffd 100644
--- a/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json
+++ b/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--8ffcd2a6-3bdd-4e9b-aaee-291577350e8f",
+ "id": "bundle--05ab5558-8e8f-4638-8928-2fada5f6c69c",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.123Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:07.401Z",
"description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e",
"target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb.json b/ics-attack/relationship/relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb.json
index 50bcb4b920..4cfce23e6a 100644
--- a/ics-attack/relationship/relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb.json
+++ b/ics-attack/relationship/relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--12a746d9-c4c0-484b-b2a2-1ab1960d2733",
+ "id": "bundle--bf9a1694-7027-4378-ac93-1ab77d98c74e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb",
"created": "2023-03-10T20:08:40.601Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-10T20:08:40.601Z",
+ "modified": "2025-04-16T23:05:07.595Z",
"description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary temporarily shut an investigator out of the network, preventing them from viewing the state of the system.(Citation: Marshall Abrams July 2008)",
"relationship_type": "uses",
"source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a",
"target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e.json b/ics-attack/relationship/relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e.json
index ab6f718ae4..2d6b009ce7 100644
--- a/ics-attack/relationship/relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e.json
+++ b/ics-attack/relationship/relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2e6554a5-04f7-4d33-b9e8-a60e4e3ecf2c",
+ "id": "bundle--b4022aed-3a37-4517-a519-d8ece95a1060",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e",
"created": "2023-09-28T19:42:54.009Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:42:54.009Z",
+ "modified": "2025-04-16T23:05:07.806Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json b/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json
index e4640f5636..35b5a05383 100644
--- a/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json
+++ b/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b8e610c9-3d06-4ee3-b01e-adcd086f1687",
+ "id": "bundle--c6b6b88b-c5f0-459d-af89-71e6a5dce00b",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:40:47.334Z",
- "description": "Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\". For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.",
+ "modified": "2025-04-16T23:05:08.015Z",
+ "description": "Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\". For added context on adversary procedures and background see [Masquerading Mitigation](https://attack.mitre.org/mitigations/T1036) and applicable sub-techniques.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14.json b/ics-attack/relationship/relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14.json
index dc4eaf739f..81b8c76ed6 100644
--- a/ics-attack/relationship/relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14.json
+++ b/ics-attack/relationship/relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7e28d345-8ce4-431c-bd59-b359b216de50",
+ "id": "bundle--3da889d8-94aa-42a5-8c90-c1a3cd351dfa",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-07T17:54:45.912Z",
+ "modified": "2025-04-16T23:05:08.219Z",
"description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) transferred executable files as .txt and then renamed them to .exe, likely to avoid detection through extension tracking.(Citation: Dragos Crashoverride 2018)",
"relationship_type": "uses",
"source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74.json b/ics-attack/relationship/relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74.json
index 854f26a1e1..a9811e7954 100644
--- a/ics-attack/relationship/relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74.json
+++ b/ics-attack/relationship/relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--fdaf733f-7106-42d1-86a5-1ca573d35d26",
+ "id": "bundle--fad79170-c881-461d-a512-f41fc99a8b00",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74",
"created": "2023-09-29T17:08:48.251Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:08:48.251Z",
+ "modified": "2025-04-16T23:05:08.436Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e18af08c-3953-4b1d-b46c-45572fdb5187.json b/ics-attack/relationship/relationship--e18af08c-3953-4b1d-b46c-45572fdb5187.json
index d7debd8174..8e7966ebc4 100644
--- a/ics-attack/relationship/relationship--e18af08c-3953-4b1d-b46c-45572fdb5187.json
+++ b/ics-attack/relationship/relationship--e18af08c-3953-4b1d-b46c-45572fdb5187.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f65f9a49-dea2-4c74-9f45-a07d0d4f1755",
+ "id": "bundle--9b07b225-c8f0-4cce-b8c5-435f11a14248",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T19:02:08.013Z",
+ "modified": "2025-04-16T23:05:08.633Z",
"description": "Monitor operational data for indicators of temporary data loss which may indicate a Denial of Service. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
"target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json b/ics-attack/relationship/relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json
index befd0aedf0..fb0c09df99 100644
--- a/ics-attack/relationship/relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json
+++ b/ics-attack/relationship/relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f79acafd-fc7d-42c7-93f1-72ba370e9e39",
+ "id": "bundle--c60b076e-3b68-49cf-ac63-1427b673d059",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4",
"created": "2023-09-28T20:09:07.381Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:09:07.381Z",
+ "modified": "2025-04-16T23:05:08.845Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json b/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json
index 8c95512520..4c02523efc 100644
--- a/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json
+++ b/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--af81c2da-68ae-46a0-8ab8-80c3bf72e0dc",
+ "id": "bundle--afb68262-b439-4d7a-b23b-42ce9d22cde7",
"spec_version": "2.0",
"objects": [
{
@@ -12,8 +12,8 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
},
{
"source_name": "Langer Stuxnet",
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-17T16:01:04.366Z",
+ "modified": "2025-04-16T23:05:09.057Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions. (Citation: Langer Stuxnet) (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json b/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json
index f10abe788d..941d126dfa 100644
--- a/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json
+++ b/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--093a7606-86af-4143-8974-d9ca0b477bf0",
+ "id": "bundle--fd81b3f5-7ee9-4b57-90e3-240ae5cff2b3",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:06:56.076Z",
+ "modified": "2025-04-16T23:05:09.276Z",
"description": "[REvil](https://attack.mitre.org/software/S0496) uses the SMB protocol to encrypt files located on remotely connected file shares. (Citation: Max Heinemeyer February 2020)",
"relationship_type": "uses",
"source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json b/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json
index 52939acf1c..b1df374495 100644
--- a/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json
+++ b/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--8dde807d-1247-4845-82ba-a716f515ae08",
+ "id": "bundle--7e7ed25e-300f-4321-88c0-ee4aba667f5e",
"spec_version": "2.0",
"objects": [
{
@@ -29,15 +29,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-13T16:53:47.448Z",
+ "modified": "2025-04-16T23:05:09.492Z",
"description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can wipe the memory of Omron PLCs and reset settings through the remote HTTP service.(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Wylie-22) ",
"relationship_type": "uses",
"source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
"target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e3b04152-0c90-41ff-a333-c5163fa9714f.json b/ics-attack/relationship/relationship--e3b04152-0c90-41ff-a333-c5163fa9714f.json
index 5014ff1219..b6df80834d 100644
--- a/ics-attack/relationship/relationship--e3b04152-0c90-41ff-a333-c5163fa9714f.json
+++ b/ics-attack/relationship/relationship--e3b04152-0c90-41ff-a333-c5163fa9714f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e8431d41-b75b-455c-a7c3-100ecdd5983e",
+ "id": "bundle--fe7645d0-32df-4a23-8783-49f099f51a7f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e3b04152-0c90-41ff-a333-c5163fa9714f",
"created": "2023-09-29T17:41:22.619Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:41:22.619Z",
+ "modified": "2025-04-16T23:05:09.685Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e41a04fe-a142-4294-a9f2-576214e1f985.json b/ics-attack/relationship/relationship--e41a04fe-a142-4294-a9f2-576214e1f985.json
index abbce8307d..6bf91bb07f 100644
--- a/ics-attack/relationship/relationship--e41a04fe-a142-4294-a9f2-576214e1f985.json
+++ b/ics-attack/relationship/relationship--e41a04fe-a142-4294-a9f2-576214e1f985.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--eba6dc33-3fa3-4bc8-af6b-1cbf1ba59fb7",
+ "id": "bundle--bae07111-96ad-4402-b19c-113feded839b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e41a04fe-a142-4294-a9f2-576214e1f985",
"created": "2024-04-09T20:48:04.616Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:48:04.616Z",
+ "modified": "2025-04-16T23:05:09.881Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e434db5d-f201-4411-825f-4a50e1e78c75.json b/ics-attack/relationship/relationship--e434db5d-f201-4411-825f-4a50e1e78c75.json
index b4d0601d8f..fc0a77954f 100644
--- a/ics-attack/relationship/relationship--e434db5d-f201-4411-825f-4a50e1e78c75.json
+++ b/ics-attack/relationship/relationship--e434db5d-f201-4411-825f-4a50e1e78c75.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--abc6bd7a-0616-4036-b721-00508d5f5ed2",
+ "id": "bundle--6fa62d94-e83d-48fa-a8d6-86451cbab135",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e434db5d-f201-4411-825f-4a50e1e78c75",
"created": "2023-09-29T17:06:20.834Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:06:20.834Z",
+ "modified": "2025-04-16T23:05:10.093Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json b/ics-attack/relationship/relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json
index 84416989a7..3c2feca97f 100644
--- a/ics-attack/relationship/relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json
+++ b/ics-attack/relationship/relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9c5c40ed-28fb-4030-a72d-d93106763a92",
+ "id": "bundle--072b2d6f-e616-4305-9661-afe31098025d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc",
"created": "2023-09-29T18:49:44.351Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:49:44.351Z",
+ "modified": "2025-04-16T23:05:10.309Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e4a11381-8608-4c71-966f-df0cbb834fe0.json b/ics-attack/relationship/relationship--e4a11381-8608-4c71-966f-df0cbb834fe0.json
index 87a2daaf37..7ffc318d87 100644
--- a/ics-attack/relationship/relationship--e4a11381-8608-4c71-966f-df0cbb834fe0.json
+++ b/ics-attack/relationship/relationship--e4a11381-8608-4c71-966f-df0cbb834fe0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--62a57b94-b2a9-446d-87dc-676cb6da85f9",
+ "id": "bundle--0eee6583-24a9-477a-97f9-f29dec76f114",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:51:08.392Z",
- "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).",
+ "modified": "2025-04-16T23:05:10.499Z",
+ "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery Mitigation](https://attack.mitre.org/mitigations/T1018).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972.json b/ics-attack/relationship/relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972.json
index d9b7eadb8a..0cf4bb586a 100644
--- a/ics-attack/relationship/relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972.json
+++ b/ics-attack/relationship/relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--85ad02c7-5aad-4d67-aecc-e41993e0c370",
+ "id": "bundle--f804a618-3627-4d4f-965c-372461e15ab6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972",
"created": "2023-09-29T16:45:33.777Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:45:33.777Z",
+ "modified": "2025-04-16T23:05:10.725Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a.json b/ics-attack/relationship/relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a.json
index 01d22ff9c3..a42f767527 100644
--- a/ics-attack/relationship/relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a.json
+++ b/ics-attack/relationship/relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--518f9f0e-8957-4ae6-987f-e9002f3ce003",
+ "id": "bundle--247e67ed-525c-4eab-9c77-ad2cf1ca3636",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a",
"created": "2024-04-09T21:00:11.159Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T21:00:11.159Z",
+ "modified": "2025-04-16T23:05:10.930Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
"target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json b/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json
index 9ebb7f026f..0cffaea7e2 100644
--- a/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json
+++ b/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--fbadd991-ec53-4c0c-8028-7b973ffc56d2",
+ "id": "bundle--3a3d6cd8-92fb-4118-9c4d-b10dd3855970",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--e5afc447-a241-4773-9a8a-3d6fd205d926",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--e5afc447-a241-4773-9a8a-3d6fd205d926",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.106Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:11.141Z",
"description": "Utilize exploit protection to prevent activities which may be exploited through malicious web sites.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506.json b/ics-attack/relationship/relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506.json
index a16729a0b8..6963aae28b 100644
--- a/ics-attack/relationship/relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506.json
+++ b/ics-attack/relationship/relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e645e59d-7206-402b-9c1c-bdcf55de4ece",
+ "id": "bundle--395adace-79b1-4fa9-aae4-6eab5c33f15e",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:52:04.484Z",
+ "modified": "2025-04-16T23:05:11.410Z",
"description": "Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json b/ics-attack/relationship/relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json
index d8913f0077..e6a16a42a1 100644
--- a/ics-attack/relationship/relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json
+++ b/ics-attack/relationship/relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--fa9edda8-b1c6-4bbe-a563-2ec50adf3216",
+ "id": "bundle--b49ec9d5-3819-45fb-83c7-09d746f3440f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454",
"created": "2023-10-02T20:17:51.320Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:17:51.320Z",
+ "modified": "2025-04-16T23:05:11.594Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json b/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json
index 1686eac9db..7ac5032667 100644
--- a/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json
+++ b/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--e4366248-207f-41a2-99b0-0a16de36bddd",
+ "id": "bundle--a02ec7b2-dedf-4e8d-afb9-8fb2efcfbc57",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--e607bb66-e53f-4684-b3f1-36a997e27d01",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.087Z",
- "relationship_type": "mitigates",
- "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n",
- "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401",
- "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004",
@@ -23,9 +15,16 @@
"url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:11.807Z",
+ "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401",
+ "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb.json b/ics-attack/relationship/relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb.json
index af43101dba..0b530a2749 100644
--- a/ics-attack/relationship/relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb.json
+++ b/ics-attack/relationship/relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--694a0fbe-503b-4682-a8c6-edef00444e74",
+ "id": "bundle--5065cd7b-355e-4ecd-bbee-e03be423b298",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb",
"created": "2023-09-28T20:30:32.778Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:30:32.778Z",
+ "modified": "2025-04-16T23:05:12.007Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json b/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json
index 346704fe22..abb571c066 100644
--- a/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json
+++ b/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a2ed65ca-4f81-4892-99e5-33bcdd215248",
+ "id": "bundle--ef6db26d-a375-47ea-bd67-98e7528ad834",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:42:45.693Z",
+ "modified": "2025-04-16T23:05:12.222Z",
"description": "All field controllers should restrict the modification of parameter values to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. They should also restrict online edits and enable write protection for parameters. \n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
"target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json b/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json
index 8934885c45..92df7cd184 100644
--- a/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json
+++ b/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--520e9ed7-6b3f-42bc-8e92-327152be0c5d",
+ "id": "bundle--f41b107e-fe01-4774-b48c-b6b0847167c0",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.081Z",
- "relationship_type": "mitigates",
- "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:12.419Z",
+ "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json b/ics-attack/relationship/relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json
index 46eceb8389..7e68fffc4e 100644
--- a/ics-attack/relationship/relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json
+++ b/ics-attack/relationship/relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a74261bc-7335-4dee-9be2-d15249f62ff4",
+ "id": "bundle--071f2fe3-45c6-4171-9d1c-4cb83b5ef18e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9",
"created": "2023-09-28T19:42:16.270Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:42:16.270Z",
+ "modified": "2025-04-16T23:05:12.625Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json b/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json
index 99ed06c8ea..419976e9ba 100644
--- a/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json
+++ b/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--4bf42af3-5f43-4f1c-9c68-e5c8e8d88212",
+ "id": "bundle--5da4c0ac-dde1-4cf1-b414-b8fb39d71d26",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.109Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:12.823Z",
"description": "Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea",
"target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e78ff18e-c919-4145-b8b8-540ae7dc94d2.json b/ics-attack/relationship/relationship--e78ff18e-c919-4145-b8b8-540ae7dc94d2.json
index 4ed24a6bbe..ffa96d29c4 100644
--- a/ics-attack/relationship/relationship--e78ff18e-c919-4145-b8b8-540ae7dc94d2.json
+++ b/ics-attack/relationship/relationship--e78ff18e-c919-4145-b8b8-540ae7dc94d2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--eb683a01-ac79-4516-8127-7519af364721",
+ "id": "bundle--77d4ae0d-7113-4fcd-a732-3c0fd4afe386",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e78ff18e-c919-4145-b8b8-540ae7dc94d2",
"created": "2024-03-26T15:40:53.801Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-26T15:40:53.801Z",
+ "modified": "2025-04-16T23:05:13.039Z",
"description": "Monitor for newly constructed drive letters or mount points to removable media. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f",
"target_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json b/ics-attack/relationship/relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json
index cae36e0e0f..71500b6542 100644
--- a/ics-attack/relationship/relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json
+++ b/ics-attack/relationship/relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--7ac0c09e-67c9-46dd-85b3-ef441beeb52f",
+ "id": "bundle--9db2fae0-bb68-4158-a6a8-b535ea8413f6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2",
"created": "2023-09-29T16:45:20.769Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:45:20.769Z",
+ "modified": "2025-04-16T23:05:13.276Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e7c3b02a-a932-4561-b812-5cfadd7f9b2f.json b/ics-attack/relationship/relationship--e7c3b02a-a932-4561-b812-5cfadd7f9b2f.json
new file mode 100644
index 0000000000..f0f1a9f943
--- /dev/null
+++ b/ics-attack/relationship/relationship--e7c3b02a-a932-4561-b812-5cfadd7f9b2f.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--45c0947a-79a8-48ec-8b9e-2c141615d146",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--e7c3b02a-a932-4561-b812-5cfadd7f9b2f",
+ "created": "2024-11-20T23:25:47.710Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Dragos FROSTYGOOP 2024",
+ "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
+ "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:13.477Z",
+ "description": "During [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041), the adversary initiated a firmware downgrade on victim devices to a version lacking monitoring.(Citation: Dragos FROSTYGOOP 2024)",
+ "relationship_type": "uses",
+ "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f",
+ "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42.json b/ics-attack/relationship/relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42.json
index 259834af76..cbe23bd822 100644
--- a/ics-attack/relationship/relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42.json
+++ b/ics-attack/relationship/relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--88ac7ca8-912d-4b3f-a4a8-a18ab7f55fe1",
+ "id": "bundle--361c542e-e662-46fb-a350-7e95f90040f8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42",
"created": "2023-09-29T16:39:41.736Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:39:41.736Z",
+ "modified": "2025-04-16T23:05:13.666Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json b/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json
index 05c0301d8d..44bcfdcf28 100644
--- a/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json
+++ b/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--1b3a2b89-e595-4b57-b848-44e5a8192a29",
+ "id": "bundle--4d668b5d-fb65-4bc2-acc3-7fdf2987a83b",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.097Z",
- "relationship_type": "mitigates",
- "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n",
- "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd",
- "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "M. Rentschler and H. Heine",
@@ -23,9 +15,16 @@
"url": "https://ieeexplore.ieee.org/document/6505877"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:13.884Z",
+ "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd",
+ "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json b/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json
index 185a5282c4..ad6ad46306 100644
--- a/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json
+++ b/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--474e7c96-565b-45f0-b093-45b54f4bd9a1",
+ "id": "bundle--726d0560-c129-4642-b139-8df3f3abca05",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.104Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:14.089Z",
"description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json b/ics-attack/relationship/relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json
index a7fe99f810..ab17330eac 100644
--- a/ics-attack/relationship/relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json
+++ b/ics-attack/relationship/relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--eba6c1ce-383e-4169-9c5b-bafa3616bc3f",
+ "id": "bundle--c6cacb06-95e4-40bf-95f8-7201f16a189b",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:46:16.720Z",
+ "modified": "2025-04-16T23:05:14.322Z",
"description": "When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json b/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json
index 67f75587cd..500ef45c55 100644
--- a/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json
+++ b/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--1bf89d41-5d3c-4970-ad75-f5ca971b1d83",
+ "id": "bundle--1efc29ca-d515-4cf4-a686-9a1749467f3f",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.088Z",
- "relationship_type": "mitigates",
- "description": "Minimize permissions and access for service accounts to limit the information that may be impacted by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n",
- "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
- "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "National Institute of Standards and Technology April 2013",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:14.533Z",
+ "description": "Minimize permissions and access for service accounts to limit the information that may be impacted by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5",
+ "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json b/ics-attack/relationship/relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json
index 514c184d33..83cfd357f1 100644
--- a/ics-attack/relationship/relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json
+++ b/ics-attack/relationship/relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--1998bb45-1363-4b15-bc25-e0a34696dfae",
+ "id": "bundle--69b1ce09-c10f-426a-b8f5-1159755747d9",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8",
"created": "2023-09-28T19:50:30.312Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:50:30.312Z",
+ "modified": "2025-04-16T23:05:14.760Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e915e12c-3d0c-4f60-b119-9414940abb0b.json b/ics-attack/relationship/relationship--e915e12c-3d0c-4f60-b119-9414940abb0b.json
index 26c9075984..639d25d659 100644
--- a/ics-attack/relationship/relationship--e915e12c-3d0c-4f60-b119-9414940abb0b.json
+++ b/ics-attack/relationship/relationship--e915e12c-3d0c-4f60-b119-9414940abb0b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--73f658f8-1636-48d9-b578-c94e6026cac7",
+ "id": "bundle--9d98ed5a-bc7a-4214-9641-028c235dec06",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e915e12c-3d0c-4f60-b119-9414940abb0b",
"created": "2023-09-28T20:08:27.145Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:08:27.145Z",
+ "modified": "2025-04-16T23:05:14.982Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42.json b/ics-attack/relationship/relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42.json
index 89fb759ade..2775afe276 100644
--- a/ics-attack/relationship/relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42.json
+++ b/ics-attack/relationship/relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a9fdea59-434b-47a7-b38c-550f7008484f",
+ "id": "bundle--71253123-c7e9-417a-9ffa-0c345b8510b7",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42",
"created": "2023-09-28T19:45:18.672Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:45:18.672Z",
+ "modified": "2025-04-16T23:05:15.180Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e98892d6-e036-4140-adbb-2932dba51a19.json b/ics-attack/relationship/relationship--e98892d6-e036-4140-adbb-2932dba51a19.json
index 4093cc5a86..f53ee74121 100644
--- a/ics-attack/relationship/relationship--e98892d6-e036-4140-adbb-2932dba51a19.json
+++ b/ics-attack/relationship/relationship--e98892d6-e036-4140-adbb-2932dba51a19.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e1dd73ae-7372-4e8c-ab27-3ef0e0d82785",
+ "id": "bundle--7ce4a9d2-1d1f-42c4-8e72-e1ebc523f60d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--e98892d6-e036-4140-adbb-2932dba51a19",
"created": "2023-09-28T20:08:09.519Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:08:09.519Z",
+ "modified": "2025-04-16T23:05:15.413Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json b/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json
index b783555475..b2fa66ad3d 100644
--- a/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json
+++ b/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json
@@ -1,30 +1,30 @@
{
"type": "bundle",
- "id": "bundle--84ecc9a6-28f3-4bfd-931c-9542b947022e",
+ "id": "bundle--1927f914-d38d-4f72-adbd-033e8a65773e",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "relationship--e9f5096e-b9fc-459a-a303-88763b1269cc",
"type": "relationship",
+ "id": "relationship--e9f5096e-b9fc-459a-a303-88763b1269cc",
"created": "2020-05-14T14:41:42.975Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
+ "source_name": "FireEye FIN6 Apr 2019",
"description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.",
- "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
- "source_name": "FireEye FIN6 Apr 2019"
+ "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html"
}
],
- "modified": "2020-05-15T19:15:35.568Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T22:55:03.806Z",
"description": "(Citation: FireEye FIN6 Apr 2019)",
"relationship_type": "uses",
"source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37",
- "x_mitre_version": "1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json b/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json
index ee5ed23ef8..17194de89c 100644
--- a/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json
+++ b/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--2abdcc5c-c5b6-4279-9218-a38739ca034d",
+ "id": "bundle--e857748b-7068-4ba5-90bf-afc1593124d9",
"spec_version": "2.0",
"objects": [
{
@@ -34,15 +34,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:28:54.342Z",
+ "modified": "2025-04-16T23:05:15.720Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) disables a firmware RAM/ROM consistency check after injects a payload (imain.bin) into the firmware memory region. (Citation: DHS CISA February 2019) (Citation: ICS-CERT December 2018) (Citation: Schneider Electric January 2018) Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration. (Citation: The Office of Nuclear Reactor Regulation)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json b/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json
index 3bda9725ec..c0dec16a91 100644
--- a/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json
+++ b/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b5774074-72b4-4b5d-8073-4c70ca5245bc",
+ "id": "bundle--801f07dc-1899-4aa2-80c4-d8cf9effab06",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:51:47.079Z",
+ "modified": "2025-04-16T23:05:15.901Z",
"description": "Monitor ICS automation protocols for functions that restart or shutdown a device. Commands to restart or shutdown devices may also be observable in traditional IT management protocols.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json b/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json
index 73e82aca68..d72f21af25 100644
--- a/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json
+++ b/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--2f3b8d3f-d735-4e38-938a-e41d0f9f39b4",
+ "id": "bundle--eb62444a-910f-4bad-9e81-56793787a6f4",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--ea817c7a-9424-4204-90a5-6f8fb86037be",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.230Z",
- "relationship_type": "mitigates",
- "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n",
- "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02",
- "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Keith Stouffer May 2015",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:16.094Z",
+ "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02",
+ "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4.json b/ics-attack/relationship/relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4.json
index 7f456cb607..d1afcbd1d3 100644
--- a/ics-attack/relationship/relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4.json
+++ b/ics-attack/relationship/relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a5ad11b1-605f-4919-95cd-2bf001acb257",
+ "id": "bundle--cb59b700-dfbf-44ea-8d75-64825c4d03f2",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4",
"created": "2023-09-29T17:38:59.611Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:38:59.611Z",
+ "modified": "2025-04-16T23:05:16.312Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json b/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json
index ca60505497..e8ea617b7f 100644
--- a/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json
+++ b/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--99d1d2b1-f769-4d5d-a4a6-0ef1ec443a20",
+ "id": "bundle--92799a2c-56fd-41b6-98cb-c4fefb95254a",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.101Z",
- "relationship_type": "mitigates",
- "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:16.507Z",
+ "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960.json b/ics-attack/relationship/relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960.json
index 82f66cc9dc..62c76e5a38 100644
--- a/ics-attack/relationship/relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960.json
+++ b/ics-attack/relationship/relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--b929343d-b540-41fb-9630-85a5f6930eac",
+ "id": "bundle--f75947ef-4057-41d0-8ec1-6a96de78abd1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960",
"created": "2023-09-28T20:28:52.768Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:28:52.768Z",
+ "modified": "2025-04-16T23:05:16.718Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53.json b/ics-attack/relationship/relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53.json
index 682b429542..e100aefe97 100644
--- a/ics-attack/relationship/relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53.json
+++ b/ics-attack/relationship/relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6b9f048f-d5f2-41e3-b04a-b811ea023340",
+ "id": "bundle--a087d590-ac20-4ac2-9d82-bca85f9b5597",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53",
"created": "2023-09-28T20:05:15.314Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:05:15.314Z",
+ "modified": "2025-04-16T23:05:17.058Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json b/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json
index d2ddfa0793..c67b60b3d2 100644
--- a/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json
+++ b/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0be1114b-3474-4d21-b1e8-1b583691ecdb",
+ "id": "bundle--9b07811f-bca4-4e33-80a5-664bc232318e",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:20:42.055Z",
+ "modified": "2025-04-16T23:05:17.271Z",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json b/ics-attack/relationship/relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json
index 17044a87ed..fbee8068b4 100644
--- a/ics-attack/relationship/relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json
+++ b/ics-attack/relationship/relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1aede560-c6d6-4f26-9bd1-2fc7af3f4e2f",
+ "id": "bundle--41f3cdc0-8925-495a-b0b7-6a640ee16b8a",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:42:04.422Z",
+ "modified": "2025-04-16T23:05:17.472Z",
"description": "Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json b/ics-attack/relationship/relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json
index 0d7ba7a92c..fc5a84df22 100644
--- a/ics-attack/relationship/relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json
+++ b/ics-attack/relationship/relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ff353886-adec-4a47-918d-ed35d1024302",
+ "id": "bundle--563750d7-0fac-4c45-91ba-1c60a7510d52",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b",
"created": "2023-09-28T19:44:09.311Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:44:09.311Z",
+ "modified": "2025-04-16T23:05:17.683Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json b/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json
index 87b8dc8e54..05ebda2402 100644
--- a/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json
+++ b/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c55b2ef9-6d02-4764-a486-4d4d5ebc61e0",
+ "id": "bundle--0e94a7f7-9fa4-4de5-985b-6d4000f2edc6",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:01:24.078Z",
+ "modified": "2025-04-16T23:05:17.881Z",
"description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) establishes an internal proxy prior to the installation of backdoors within the network. (Citation: Dragos Inc. June 2017)",
"relationship_type": "uses",
"source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
"target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eb5310c6-7500-4b16-8ca7-6678c6232001.json b/ics-attack/relationship/relationship--eb5310c6-7500-4b16-8ca7-6678c6232001.json
index f38ce8c2ef..a7fa86d93d 100644
--- a/ics-attack/relationship/relationship--eb5310c6-7500-4b16-8ca7-6678c6232001.json
+++ b/ics-attack/relationship/relationship--eb5310c6-7500-4b16-8ca7-6678c6232001.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--163ed2fe-5152-41e9-9687-64cb1216dd94",
+ "id": "bundle--36e01faf-f1d0-47ee-9027-ad07abf70856",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--eb5310c6-7500-4b16-8ca7-6678c6232001",
"created": "2023-09-29T19:36:38.824Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T19:36:38.824Z",
+ "modified": "2025-04-16T23:05:18.076Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json b/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json
index f72c6f7a84..09f746d003 100644
--- a/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json
+++ b/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--1538b34f-6a07-46c0-a3d6-d31b0646bf04",
+ "id": "bundle--a6170c01-f82d-4fb6-b319-09240b99aa82",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.175Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:18.320Z",
"description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json b/ics-attack/relationship/relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json
index 766939b1fd..1b2b1e702f 100644
--- a/ics-attack/relationship/relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json
+++ b/ics-attack/relationship/relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a12d65ad-47be-46a0-ad41-0e03e9f22c6c",
+ "id": "bundle--5a443b86-a016-4740-81f6-260a35c45e34",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0",
"created": "2023-09-29T17:09:37.977Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:09:37.977Z",
+ "modified": "2025-04-16T23:05:18.505Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json b/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json
index 79522db95d..a0f079f397 100644
--- a/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json
+++ b/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--7272e621-8187-4337-8d09-ae099f95cc1b",
+ "id": "bundle--044505ce-2982-43c4-9920-c6f8c72fca3d",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.177Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:18.720Z",
"description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643.json b/ics-attack/relationship/relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643.json
index 9b4ec2806c..5b40de3340 100644
--- a/ics-attack/relationship/relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643.json
+++ b/ics-attack/relationship/relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3cb410ae-abc3-4b3b-a786-22c30ba8b276",
+ "id": "bundle--c189464f-0387-4264-bb0d-690a9ac94de7",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643",
"created": "2023-09-28T21:25:48.379Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:25:48.379Z",
+ "modified": "2025-04-16T23:05:18.922Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json b/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json
index 822c88a448..2f20f85f56 100644
--- a/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json
+++ b/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--68ca2efd-b082-49ef-998e-259a2989c3a6",
+ "id": "bundle--e4cbe750-2af1-4404-8add-b2443d05954d",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.139Z",
- "relationship_type": "mitigates",
- "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n",
- "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
- "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "National Institute of Standards and Technology April 2013",
@@ -23,9 +15,16 @@
"url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:19.135Z",
+ "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
+ "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ed095993-bc85-431e-9621-437143f16d44.json b/ics-attack/relationship/relationship--ed095993-bc85-431e-9621-437143f16d44.json
index 51a5a3b4d2..207cf70533 100644
--- a/ics-attack/relationship/relationship--ed095993-bc85-431e-9621-437143f16d44.json
+++ b/ics-attack/relationship/relationship--ed095993-bc85-431e-9621-437143f16d44.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9e57e9de-3aed-4f29-bc7e-786d5ddad929",
+ "id": "bundle--f0386600-6e1e-49d3-8e45-5468b1954a65",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ed095993-bc85-431e-9621-437143f16d44",
"created": "2023-09-29T17:44:09.285Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:44:09.285Z",
+ "modified": "2025-04-16T23:05:19.379Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ed3ce006-cf41-46f6-bd86-054314c130dc.json b/ics-attack/relationship/relationship--ed3ce006-cf41-46f6-bd86-054314c130dc.json
index 36fda3de6c..65816cddec 100644
--- a/ics-attack/relationship/relationship--ed3ce006-cf41-46f6-bd86-054314c130dc.json
+++ b/ics-attack/relationship/relationship--ed3ce006-cf41-46f6-bd86-054314c130dc.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--859c7bfa-afbc-495c-b6d7-5734421fd447",
+ "id": "bundle--f1e13ed4-0ead-4a40-a922-e7a632247da8",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ed3ce006-cf41-46f6-bd86-054314c130dc",
"created": "2023-09-28T21:15:57.120Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:15:57.120Z",
+ "modified": "2025-04-16T23:05:19.565Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ed3ef546-566a-46c7-918e-7bfa10d05991.json b/ics-attack/relationship/relationship--ed3ef546-566a-46c7-918e-7bfa10d05991.json
index 508eed36ff..efbed54752 100644
--- a/ics-attack/relationship/relationship--ed3ef546-566a-46c7-918e-7bfa10d05991.json
+++ b/ics-attack/relationship/relationship--ed3ef546-566a-46c7-918e-7bfa10d05991.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--010c24a6-aa9d-49e6-8670-a2d81494c6e4",
+ "id": "bundle--26d4aada-aab8-411e-a9e1-b3bdf302f8bd",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ed3ef546-566a-46c7-918e-7bfa10d05991",
"created": "2023-09-29T17:06:47.370Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:06:47.370Z",
+ "modified": "2025-04-16T23:05:19.779Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ed66e087-8877-4146-a16a-44cfd144a3d8.json b/ics-attack/relationship/relationship--ed66e087-8877-4146-a16a-44cfd144a3d8.json
index a48b86b797..302f8e9dea 100644
--- a/ics-attack/relationship/relationship--ed66e087-8877-4146-a16a-44cfd144a3d8.json
+++ b/ics-attack/relationship/relationship--ed66e087-8877-4146-a16a-44cfd144a3d8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--976c882f-374a-4854-ab88-a8b704ff2518",
+ "id": "bundle--68ea2561-e23c-42ed-95ea-3ec5ad1a092a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ed66e087-8877-4146-a16a-44cfd144a3d8",
"created": "2023-09-29T17:07:00.450Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:07:00.450Z",
+ "modified": "2025-04-16T23:05:19.992Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ed8b97e2-5966-4844-a636-524541a46e43.json b/ics-attack/relationship/relationship--ed8b97e2-5966-4844-a636-524541a46e43.json
index f24a95ecd1..937642ee81 100644
--- a/ics-attack/relationship/relationship--ed8b97e2-5966-4844-a636-524541a46e43.json
+++ b/ics-attack/relationship/relationship--ed8b97e2-5966-4844-a636-524541a46e43.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--9d8ee18d-3167-4b7e-85bc-b76eb8c4a502",
+ "id": "bundle--1236608f-c35b-4f0a-b699-d5483f1c73ed",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ed8b97e2-5966-4844-a636-524541a46e43",
"created": "2023-09-29T16:39:18.448Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:39:18.448Z",
+ "modified": "2025-04-16T23:05:20.202Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json b/ics-attack/relationship/relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json
index a084bc8200..3fcddcb387 100644
--- a/ics-attack/relationship/relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json
+++ b/ics-attack/relationship/relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a169fb3a-95bf-4cf7-8232-bf50b425b8d3",
+ "id": "bundle--6c39d38f-9c75-4086-8fdb-3204c42722ca",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb",
"created": "2023-09-29T16:39:29.206Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:39:29.206Z",
+ "modified": "2025-04-16T23:05:20.412Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json b/ics-attack/relationship/relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json
index 8ef580fed8..baf12f8373 100644
--- a/ics-attack/relationship/relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json
+++ b/ics-attack/relationship/relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--099f6c0d-7bd9-4ca1-a632-7cd318006223",
+ "id": "bundle--404865d1-1ca1-4acd-a8ca-dc8355b6e006",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:39:41.897Z",
+ "modified": "2025-04-16T23:05:20.619Z",
"description": "Monitor for newly constructed scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json b/ics-attack/relationship/relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json
index 258ae3213c..66fdb5b7d2 100644
--- a/ics-attack/relationship/relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json
+++ b/ics-attack/relationship/relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3d1e22ce-e572-419b-a4bc-6093351efdcd",
+ "id": "bundle--e8ed0d83-0364-47a2-88da-ce6082ef2f96",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b",
"created": "2023-09-29T17:58:54.996Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:58:54.996Z",
+ "modified": "2025-04-16T23:05:20.853Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1.json b/ics-attack/relationship/relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1.json
index 9fc269edf6..3fb2c1b6c0 100644
--- a/ics-attack/relationship/relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1.json
+++ b/ics-attack/relationship/relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--135e2727-73ca-4d48-9cae-b92a987c809a",
+ "id": "bundle--36d03176-6c16-4b40-a206-d5f8d12a7015",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1",
"created": "2023-09-28T21:12:00.004Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:12:00.004Z",
+ "modified": "2025-04-16T23:05:21.055Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json b/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json
index bb15b54fb0..ebe310c38c 100644
--- a/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json
+++ b/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--fd73fb34-7cc3-4888-9de7-02ed6b76ae5b",
+ "id": "bundle--dc0d631b-82d0-4fcb-829a-b2a5cc5cbeb1",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:31:21.210Z",
+ "modified": "2025-04-16T23:05:21.272Z",
"description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)",
"relationship_type": "uses",
"source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2.json b/ics-attack/relationship/relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2.json
index 3d121ab020..3f451a436f 100644
--- a/ics-attack/relationship/relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2.json
+++ b/ics-attack/relationship/relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--e582662c-d97b-4ee2-ac17-1c0fe92a1c06",
+ "id": "bundle--0cd85964-bf39-4dd9-8e3f-b175fbe0c8b6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2",
"created": "2023-09-29T17:58:04.082Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:58:04.082Z",
+ "modified": "2025-04-16T23:05:21.474Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json b/ics-attack/relationship/relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json
index 695aae767a..b38fb03cc0 100644
--- a/ics-attack/relationship/relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json
+++ b/ics-attack/relationship/relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--929b227c-904a-4ec8-b848-c0e5e1f5d1e1",
+ "id": "bundle--bf6dc958-f742-4653-8564-9336e6eee7b3",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:44:27.451Z",
+ "modified": "2025-04-16T23:05:21.675Z",
"description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json b/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json
index fd3871a78e..eff13d5c48 100644
--- a/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json
+++ b/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--28c641f9-f87c-4bcb-9355-d3b3a69e6d34",
+ "id": "bundle--955e71b9-42a3-48e9-849e-c30edce0036f",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:07:33.947Z",
+ "modified": "2025-04-16T23:05:21.902Z",
"description": "[REvil](https://attack.mitre.org/software/S0496) utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware. (Citation: Tom Fakterman August 2019)",
"relationship_type": "uses",
"source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5",
"target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json b/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json
index c51adc3671..e09384790b 100644
--- a/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json
+++ b/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--06492f60-d164-4a59-8cb9-1c31a0fc5d1a",
+ "id": "bundle--9173190b-d39d-4071-93e8-309b279584dc",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:35:50.632Z",
+ "modified": "2025-04-16T23:05:22.101Z",
"description": "[BlackEnergy](https://attack.mitre.org/software/S0089) utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. (Citation: Booz Allen Hamilton)\n",
"relationship_type": "uses",
"source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97.json b/ics-attack/relationship/relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97.json
index fd8646ddbc..b4d1f80c1f 100644
--- a/ics-attack/relationship/relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97.json
+++ b/ics-attack/relationship/relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--0a495143-9bc6-435c-a0dc-1aaab40c5dd9",
+ "id": "bundle--b7799ea9-faf2-4672-b391-9035863afe24",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97",
"created": "2023-09-28T20:05:33.450Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:05:33.450Z",
+ "modified": "2025-04-16T23:05:22.308Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json b/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json
index 0a4b421187..3179e5bcb0 100644
--- a/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json
+++ b/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--5674eb94-252d-42a0-8826-a59725377471",
+ "id": "bundle--e93c1769-f5ef-4be2-bfd5-878e16e45e98",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--ee89466e-0655-4217-844d-fb8ea4f76247",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--ee89466e-0655-4217-844d-fb8ea4f76247",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.065Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:22.504Z",
"description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json b/ics-attack/relationship/relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json
index d9e633fc38..dcdae085bb 100644
--- a/ics-attack/relationship/relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json
+++ b/ics-attack/relationship/relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6318963f-6e7e-4535-a8af-76fedb684a28",
+ "id": "bundle--cc881f21-9819-467d-a8d7-fa2d7fae3e2f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6",
"created": "2023-09-28T20:04:07.868Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:04:07.868Z",
+ "modified": "2025-04-16T23:05:22.759Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json b/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json
index 43bbca0ffa..6d850e78ae 100644
--- a/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json
+++ b/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--5565f316-5c32-4edb-a015-44bf4f75935d",
+ "id": "bundle--b6001549-1358-4124-9e6a-9eebc81e0bc4",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-19T21:23:52.947Z",
+ "modified": "2025-04-16T23:05:22.949Z",
"description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a",
"target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json b/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json
index c47065fa19..dcf45ac617 100644
--- a/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json
+++ b/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--d510bd08-787a-429c-843b-046fd198aeb1",
+ "id": "bundle--7825728b-d3e4-413b-8c9c-cd775bc0abe5",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.231Z",
- "relationship_type": "mitigates",
- "description": "Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. (Citation: Keith Stouffer May 2015) (Citation: Schweitzer Engineering Laboratories August 2015)\n",
- "source_ref": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722",
- "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Keith Stouffer May 2015",
@@ -28,9 +20,16 @@
"url": "https://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:23.149Z",
+ "description": "Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. (Citation: Keith Stouffer May 2015) (Citation: Schweitzer Engineering Laboratories August 2015)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722",
+ "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json b/ics-attack/relationship/relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json
index 3bbb9dce2e..21baac205a 100644
--- a/ics-attack/relationship/relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json
+++ b/ics-attack/relationship/relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--80573c1f-8d6f-472d-a844-86e721775618",
+ "id": "bundle--70004ad9-85e0-4a3f-8f53-28b7dc09291c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8",
"created": "2023-09-28T21:11:45.241Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:11:45.241Z",
+ "modified": "2025-04-16T23:05:23.369Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json b/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json
index ba46f89df3..019c5af64b 100644
--- a/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json
+++ b/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--44c83d11-6ee7-4ef2-8cb6-416be2344da0",
+ "id": "bundle--471c8cbf-466c-4b8c-96f1-68ae9c57457b",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--eeeff03f-7436-4f76-8591-42075e6647d4",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--eeeff03f-7436-4f76-8591-42075e6647d4",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.076Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:23.586Z",
"description": "All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
"target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json b/ics-attack/relationship/relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json
index a1c8269fdc..cd7b3bb336 100644
--- a/ics-attack/relationship/relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json
+++ b/ics-attack/relationship/relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a0e40b7b-420e-4d40-9935-49ce3609d8fe",
+ "id": "bundle--5417f397-bda6-44c5-bac0-0247795626a1",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3",
"created": "2023-09-28T19:54:48.577Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:54:48.577Z",
+ "modified": "2025-04-16T23:05:23.790Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json b/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json
index 87d341826f..b89340d0cd 100644
--- a/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json
+++ b/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--dfea3a68-9bb9-4a79-9431-a5e872a92cd3",
+ "id": "bundle--66a59f72-16ff-4a06-9a8f-f4491349effe",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T16:12:48.097Z",
+ "modified": "2025-04-16T23:05:23.983Z",
"description": "[Dragonfly](https://attack.mitre.org/groups/G0035) trojanized legitimate ICS equipment providers software packages available for download on their websites.(Citation: Symantec Security Response July 2014)",
"relationship_type": "uses",
"source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json b/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json
index 3b659e6949..acc384a982 100644
--- a/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json
+++ b/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--e762af0a-b52d-430e-b7f2-9ca7c84987bb",
+ "id": "bundle--f6f2c71e-1abf-4dff-9004-72ed72f89cb2",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--efb80069-e4be-4055-bd34-06d1376b4601",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.109Z",
- "relationship_type": "mitigates",
- "description": "Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.\n",
- "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
- "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "McCarthy, J et al. July 2018",
@@ -23,9 +15,16 @@
"url": "https://doi.org/10.6028/NIST.SP.1800-2"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:24.183Z",
+ "description": "Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
+ "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0.json b/ics-attack/relationship/relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0.json
index 1776ec1d9b..466a7a86fa 100644
--- a/ics-attack/relationship/relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0.json
+++ b/ics-attack/relationship/relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--76592b71-5883-4d33-9a5a-1be53c18a409",
+ "id": "bundle--6b7bba66-fbee-47a7-8812-38223a509b23",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0",
"created": "2023-09-29T16:39:09.447Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:39:09.447Z",
+ "modified": "2025-04-16T23:05:24.415Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f05a2592-00f9-4f1f-ba55-395af5444b96.json b/ics-attack/relationship/relationship--f05a2592-00f9-4f1f-ba55-395af5444b96.json
index 729cb1fffc..a3d16cc1e2 100644
--- a/ics-attack/relationship/relationship--f05a2592-00f9-4f1f-ba55-395af5444b96.json
+++ b/ics-attack/relationship/relationship--f05a2592-00f9-4f1f-ba55-395af5444b96.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--bdaa0c42-778f-4632-a0fb-6583e36d3d50",
+ "id": "bundle--616da266-b431-443f-981e-d608c8cf0b66",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f05a2592-00f9-4f1f-ba55-395af5444b96",
"created": "2023-09-29T17:42:29.179Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:42:29.179Z",
+ "modified": "2025-04-16T23:05:24.632Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f08d487a-7837-48f9-9301-fe0f9f144c92.json b/ics-attack/relationship/relationship--f08d487a-7837-48f9-9301-fe0f9f144c92.json
index 952fb679a6..26b4625475 100644
--- a/ics-attack/relationship/relationship--f08d487a-7837-48f9-9301-fe0f9f144c92.json
+++ b/ics-attack/relationship/relationship--f08d487a-7837-48f9-9301-fe0f9f144c92.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--628a1bf5-7b5f-4f0d-be20-bd4801ac141a",
+ "id": "bundle--afdc9ab7-92c2-49ac-815f-11e279a11b1d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f08d487a-7837-48f9-9301-fe0f9f144c92",
"created": "2023-09-28T20:31:04.691Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:31:04.691Z",
+ "modified": "2025-04-16T23:05:24.852Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json b/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json
index 367061f19b..15726a0733 100644
--- a/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json
+++ b/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--47a864f8-5477-454d-81d9-60ebc2d14d9d",
+ "id": "bundle--a9d08d99-f0dd-4cce-8568-99997b740de2",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.160Z",
- "relationship_type": "mitigates",
- "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
- "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:25.040Z",
+ "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+ "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json b/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json
index 9d601624be..6178c72df5 100644
--- a/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json
+++ b/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a0bdef7b-0baa-47f5-9415-ba2bd78be8cb",
+ "id": "bundle--1999942e-9ccf-4979-b456-c52dc33d3986",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:21:24.221Z",
+ "modified": "2025-04-16T23:05:25.281Z",
"description": "When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, [Stuxnet](https://attack.mitre.org/software/S0603) prevents an operator from noticing unauthorized commands sent to the peripheral. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json b/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json
index 9e708edd9e..ccf0cd9b5f 100644
--- a/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json
+++ b/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--90fea558-089e-4f18-9dec-c0573830e64f",
+ "id": "bundle--bcef1adc-6f38-45bb-bd2b-5013d1e8da30",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2",
+ "created": "2021-04-12T18:59:17.429Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2021-04-12T18:59:17.429Z",
- "modified": "2022-05-06T17:47:24.189Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:25.486Z",
"description": "Filter application-layer protocol messages for remote services to block any unauthorized activity.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
"target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json b/ics-attack/relationship/relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json
index d2d8057297..b56047d1cd 100644
--- a/ics-attack/relationship/relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json
+++ b/ics-attack/relationship/relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2ea13912-bd84-40b1-8d6f-9415d66c3cf9",
+ "id": "bundle--cbfb6fd7-e818-4005-8ab8-8339792ef478",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d",
"created": "2023-09-29T18:45:34.258Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:45:34.258Z",
+ "modified": "2025-04-16T23:05:25.709Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb.json b/ics-attack/relationship/relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb.json
index 3d976527ea..3a89edd3b5 100644
--- a/ics-attack/relationship/relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb.json
+++ b/ics-attack/relationship/relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--726e6045-2f29-4f25-b9e5-d47766d4bacb",
+ "id": "bundle--912dab75-6e1e-4eaa-9cc8-31e8927f271a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb",
"created": "2023-09-28T21:23:01.421Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:23:01.421Z",
+ "modified": "2025-04-16T23:05:25.902Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json b/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json
index e76c0f724b..0c62f55b73 100644
--- a/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json
+++ b/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c89361d6-3805-4f62-bab3-6486fef57fd1",
+ "id": "bundle--ff6a2503-fdd4-449f-b709-9effa7f30f7f",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-17T16:00:06.894Z",
+ "modified": "2025-04-16T23:05:26.105Z",
"description": "One of [Stuxnet](https://attack.mitre.org/software/S0603)'s rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged. (Citation: Langer Stuxnet)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8.json b/ics-attack/relationship/relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8.json
index 9f995a52fc..34455fdd4f 100644
--- a/ics-attack/relationship/relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8.json
+++ b/ics-attack/relationship/relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c5dd32c4-237f-4297-b1a3-292ef5c21dcc",
+ "id": "bundle--2866d22e-e754-45d6-8606-a0924a749ed0",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8",
"created": "2023-09-28T21:24:22.815Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:24:22.815Z",
+ "modified": "2025-04-16T23:05:26.315Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f145b7e5-048b-46e7-8439-e2b88917523c.json b/ics-attack/relationship/relationship--f145b7e5-048b-46e7-8439-e2b88917523c.json
index b7e54d1cdd..c12fc3f0a2 100644
--- a/ics-attack/relationship/relationship--f145b7e5-048b-46e7-8439-e2b88917523c.json
+++ b/ics-attack/relationship/relationship--f145b7e5-048b-46e7-8439-e2b88917523c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6f32db46-6aa5-456f-adbb-698b37543e5e",
+ "id": "bundle--57243908-62fa-487d-8f72-d2b98af78bdf",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:48:47.595Z",
+ "modified": "2025-04-16T23:05:26.530Z",
"description": "Monitor alarms for information about when an operating mode is changed, although not all devices produce such logs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
"target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json b/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json
index 2e5a9f09fd..d1c6c8f90d 100644
--- a/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json
+++ b/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json
@@ -1,21 +1,13 @@
{
"type": "bundle",
- "id": "bundle--a3976331-2240-45fa-8632-526a19730083",
+ "id": "bundle--b219f453-c0eb-4f12-80a6-9cd63db797ee",
"spec_version": "2.0",
"objects": [
{
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
"type": "relationship",
"id": "relationship--f15f24d2-e581-46ce-83e4-a924f572aae6",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.065Z",
- "relationship_type": "mitigates",
- "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
- "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
- "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
{
"source_name": "Department of Homeland Security September 2016",
@@ -23,9 +15,16 @@
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
}
],
- "x_mitre_attack_spec_version": "2.1.0",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:26.751Z",
+ "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n",
+ "relationship_type": "mitigates",
+ "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+ "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f19c34b2-ef3a-4581-b604-6639f501e32f.json b/ics-attack/relationship/relationship--f19c34b2-ef3a-4581-b604-6639f501e32f.json
index 4f640d7506..b7f715e23a 100644
--- a/ics-attack/relationship/relationship--f19c34b2-ef3a-4581-b604-6639f501e32f.json
+++ b/ics-attack/relationship/relationship--f19c34b2-ef3a-4581-b604-6639f501e32f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--adf9b1ce-f29a-4c8d-8f63-3540b10ed0bb",
+ "id": "bundle--985a171b-a928-43b4-a733-3045f3565805",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f19c34b2-ef3a-4581-b604-6639f501e32f",
"created": "2023-10-02T20:20:32.163Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:20:32.163Z",
+ "modified": "2025-04-16T23:05:26.944Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704.json b/ics-attack/relationship/relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704.json
index b7acb8b5c6..e2d2c488bc 100644
--- a/ics-attack/relationship/relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704.json
+++ b/ics-attack/relationship/relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f1764be1-cd31-478a-b2b9-cba18c145cdb",
+ "id": "bundle--a3e0d38a-2a7a-427f-aa9f-76600064746c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704",
"created": "2023-09-29T17:07:38.219Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:07:38.219Z",
+ "modified": "2025-04-16T23:05:27.174Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json b/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json
index e7e0c04c5a..0613e34bf4 100644
--- a/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json
+++ b/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--38563baa-c09f-4d16-ae29-578dbf268067",
+ "id": "bundle--c085c064-70df-4120-8e22-111d0235cbfb",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.150Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:27.378Z",
"description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
"target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json b/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json
index 4df2b1e46a..1cc9449d3d 100644
--- a/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json
+++ b/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--b2ce21d8-da72-4293-9ee3-8edc9f602309",
+ "id": "bundle--fa2e2637-74cf-4f21-aa4a-2417258da45c",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
- "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ",
- "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
+ "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+ "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-20T21:24:02.276Z",
+ "modified": "2025-04-16T23:05:27.580Z",
"description": "DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious [Stuxnet](https://attack.mitre.org/software/S0603) block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. The replaced DP_RECV block (later on referred to as the DP_RECV monitor) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)",
"relationship_type": "uses",
"source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361.json b/ics-attack/relationship/relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361.json
index 94d160340e..2926fa2b6d 100644
--- a/ics-attack/relationship/relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361.json
+++ b/ics-attack/relationship/relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--0a25024a-62b2-4c5e-a6f8-78f575b937cf",
+ "id": "bundle--8a9cccdb-6aff-4e6a-9a73-d5c2458f544e",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:38:17.130Z",
+ "modified": "2025-04-16T23:05:27.782Z",
"description": "Monitor for loss of expected operational process alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
"target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json b/ics-attack/relationship/relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json
index 92903b50ec..6ff193486e 100644
--- a/ics-attack/relationship/relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json
+++ b/ics-attack/relationship/relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--85ae6460-f6a5-4502-b88f-22c50702855a",
+ "id": "bundle--ef6f9daf-8d60-4c4d-87d6-80224f8eddb5",
"spec_version": "2.0",
"objects": [
{
@@ -22,8 +22,8 @@
},
{
"source_name": "Intel HackingTeam UEFI Rootkit",
- "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.",
- "url": "http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"
+ "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"
},
{
"source_name": "Github CHIPSEC",
@@ -34,15 +34,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:48:28.074Z",
+ "modified": "2025-04-16T23:05:27.983Z",
"description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json b/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json
index d21257afd0..ee198da6db 100644
--- a/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json
+++ b/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7fb00619-fcc0-4097-a048-1ba47e036ad3",
+ "id": "bundle--65e844b7-19d9-4b8c-beb9-8a6834fe0e52",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-04-14T20:00:00.650Z",
+ "modified": "2025-04-16T23:05:28.180Z",
"description": "[Industroyer](https://attack.mitre.org/software/S0604) contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. (Citation: Joe Slowik August 2019)",
"relationship_type": "uses",
"source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"target_ref": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b.json b/ics-attack/relationship/relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b.json
index b2f86794c3..a62081efc7 100644
--- a/ics-attack/relationship/relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b.json
+++ b/ics-attack/relationship/relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--573f05e8-9607-4413-9620-8ca8fe8268e5",
+ "id": "bundle--80c04998-f553-4371-a8b8-7a85e86a0f09",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b",
"created": "2023-09-28T21:23:51.038Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:23:51.038Z",
+ "modified": "2025-04-16T23:05:28.414Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba.json b/ics-attack/relationship/relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba.json
index b0f43a4f8a..de436ae36f 100644
--- a/ics-attack/relationship/relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba.json
+++ b/ics-attack/relationship/relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8453d692-0acd-4f21-ab8f-70f09bb4453c",
+ "id": "bundle--5d15fd94-3222-4da0-8800-2079780afe70",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba",
"created": "2023-03-30T14:11:33.618Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-30T14:11:33.618Z",
+ "modified": "2025-04-16T23:05:28.601Z",
"description": "Monitor for device credential changes observable in automation or management network protocols.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json b/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json
index f7b4820e22..3268579e41 100644
--- a/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json
+++ b/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--2c73433e-e573-4517-acfd-a89b404fab00",
+ "id": "bundle--72ad6973-8668-469a-b463-bd6ab4d1b93f",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48",
+ "created": "2021-04-13T12:08:26.506Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2021-04-13T12:08:26.506Z",
- "modified": "2022-05-06T17:47:24.118Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:28.833Z",
"description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499",
"target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json b/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json
index 494cf76275..9b1c7a85c4 100644
--- a/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json
+++ b/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--04664515-45a6-4448-8651-6da855a97880",
+ "id": "bundle--24b6aea2-1909-4311-8fc3-384b3a7a56da",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:28:22.574Z",
+ "modified": "2025-04-16T23:05:29.025Z",
"description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json b/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json
index c3d54bd121..a3f6c37410 100644
--- a/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json
+++ b/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--fe1bf239-8d3b-469b-b45b-11eb206f5c30",
+ "id": "bundle--b64cf689-c24b-4887-9ff3-7fd7dc9b853f",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.091Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:29.234Z",
"description": "Develop and publish policies that define acceptable information to be stored in repositories.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba",
"target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1.json b/ics-attack/relationship/relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1.json
index e9753d3462..8560a2efb2 100644
--- a/ics-attack/relationship/relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1.json
+++ b/ics-attack/relationship/relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5c0fbbf2-4519-4ac7-a4bb-86edef11e814",
+ "id": "bundle--2b6d7205-68eb-4428-83d7-070b7506e65c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1",
"created": "2023-09-28T19:49:56.464Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:49:56.464Z",
+ "modified": "2025-04-16T23:05:29.445Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json b/ics-attack/relationship/relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json
index b12416be46..a322aadb1c 100644
--- a/ics-attack/relationship/relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json
+++ b/ics-attack/relationship/relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--966a1b02-c9cf-4818-9b40-c9841ceb68d8",
+ "id": "bundle--9333edf3-afe3-498d-a4e7-98cfc930d6e9",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:33:51.166Z",
+ "modified": "2025-04-16T23:05:29.647Z",
"description": "Monitor for new master devices communicating with outstation assets, which may be visible in asset application logs.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f531e763-3550-40ba-a6a1-81e208ca12c6.json b/ics-attack/relationship/relationship--f531e763-3550-40ba-a6a1-81e208ca12c6.json
index 9789a4a735..3b63c13855 100644
--- a/ics-attack/relationship/relationship--f531e763-3550-40ba-a6a1-81e208ca12c6.json
+++ b/ics-attack/relationship/relationship--f531e763-3550-40ba-a6a1-81e208ca12c6.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d019a3ea-0664-4916-a7eb-10fbd50e8635",
+ "id": "bundle--7863e963-7d13-436c-b939-aadf08ed1e46",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f531e763-3550-40ba-a6a1-81e208ca12c6",
"created": "2023-09-29T16:41:06.217Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:41:06.217Z",
+ "modified": "2025-04-16T23:05:29.887Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json b/ics-attack/relationship/relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json
index 09dd38f74d..4154c184ed 100644
--- a/ics-attack/relationship/relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json
+++ b/ics-attack/relationship/relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--896295a9-18a8-4ac7-a01e-bb5a6ce9e5be",
+ "id": "bundle--099c85f6-5b00-4efa-b0bd-8f73c67b4452",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7",
"created": "2023-09-28T21:26:23.361Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:26:23.361Z",
+ "modified": "2025-04-16T23:05:30.071Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json b/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json
index d9a2248e63..bd025b2da0 100644
--- a/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json
+++ b/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--a4decaa5-4efc-4774-8b1c-1dde55e136fe",
+ "id": "bundle--dc278e53-742d-4cfb-af6d-da5fe68d7eb5",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T18:29:11.326Z",
+ "modified": "2025-04-16T23:05:30.281Z",
"description": "[Triton](https://attack.mitre.org/software/S1009) can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments. (Citation: Jos Wetzels January 2018)",
"relationship_type": "uses",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json b/ics-attack/relationship/relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json
index 785d1fc108..e95166d32d 100644
--- a/ics-attack/relationship/relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json
+++ b/ics-attack/relationship/relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--3b4f24e2-d61d-42e6-88b0-ac8a917afd78",
+ "id": "bundle--951419a9-1cd7-47b3-aec0-9d4b761046a4",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545",
"created": "2023-09-29T18:44:50.280Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:44:50.280Z",
+ "modified": "2025-04-16T23:05:30.485Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f5c9f641-a498-46b5-9068-39502db53cfd.json b/ics-attack/relationship/relationship--f5c9f641-a498-46b5-9068-39502db53cfd.json
index 61b2dc734a..569e0bd143 100644
--- a/ics-attack/relationship/relationship--f5c9f641-a498-46b5-9068-39502db53cfd.json
+++ b/ics-attack/relationship/relationship--f5c9f641-a498-46b5-9068-39502db53cfd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--ccd13dec-dadd-4a6c-988a-47afed0ad51f",
+ "id": "bundle--fb771d17-6b9d-43d9-83d5-8b4aeb1b863f",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f5c9f641-a498-46b5-9068-39502db53cfd",
"created": "2023-09-28T20:10:55.590Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:10:55.590Z",
+ "modified": "2025-04-16T23:05:30.721Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4.json b/ics-attack/relationship/relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4.json
index 8e5c01b514..eb04b00019 100644
--- a/ics-attack/relationship/relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4.json
+++ b/ics-attack/relationship/relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--68b62ffe-4f55-4c0c-b504-92bf5f22bbb7",
+ "id": "bundle--2abfa064-6dd8-4d8e-86b2-12fa27cf3de6",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4",
"created": "2023-09-29T17:04:55.720Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:04:55.720Z",
+ "modified": "2025-04-16T23:05:30.913Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51.json b/ics-attack/relationship/relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51.json
index f8d756fc2c..e6c4cfe75c 100644
--- a/ics-attack/relationship/relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51.json
+++ b/ics-attack/relationship/relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d1e2b452-3806-4114-8075-4a42a9a6b23c",
+ "id": "bundle--99431dbe-b469-4d57-b7dd-42e3b5bd5f0c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51",
"created": "2023-09-29T17:05:20.132Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:05:20.132Z",
+ "modified": "2025-04-16T23:05:31.104Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349",
"target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json b/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json
index a47b8d4f3a..11d9e3670d 100644
--- a/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json
+++ b/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--46e90b97-5b48-4731-948b-d483603e8b74",
+ "id": "bundle--a6868b3c-1c0f-4e11-b868-1a31eaecdc0a",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T16:32:49.409Z",
+ "modified": "2025-04-16T23:05:31.308Z",
"description": "[OilRig](https://attack.mitre.org/groups/G0049) utilized stolen credentials to gain access to victim machines.(Citation: Dragos)",
"relationship_type": "uses",
"source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659.json b/ics-attack/relationship/relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659.json
index 8a75265d26..0fe3a942ac 100644
--- a/ics-attack/relationship/relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659.json
+++ b/ics-attack/relationship/relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--5ae8ed6f-4125-4ad2-8811-5aea822abbe6",
+ "id": "bundle--fd7fa872-5aa3-42b5-9dc4-55613ff3bc95",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659",
"created": "2023-09-28T19:55:58.229Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:55:58.229Z",
+ "modified": "2025-04-16T23:05:31.516Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f664bf42-5fb2-41e5-b790-978ddf866da3.json b/ics-attack/relationship/relationship--f664bf42-5fb2-41e5-b790-978ddf866da3.json
index f8b040ec78..a05f2c116e 100644
--- a/ics-attack/relationship/relationship--f664bf42-5fb2-41e5-b790-978ddf866da3.json
+++ b/ics-attack/relationship/relationship--f664bf42-5fb2-41e5-b790-978ddf866da3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--cfa96368-f07c-4a2b-84bb-fc9446bb0569",
+ "id": "bundle--fca2b6d4-2d6c-41ed-aa10-4bb652481f5d",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T17:45:58.655Z",
+ "modified": "2025-04-16T23:05:31.746Z",
"description": "Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6.json b/ics-attack/relationship/relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6.json
index 087fca3dad..48e959277a 100644
--- a/ics-attack/relationship/relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6.json
+++ b/ics-attack/relationship/relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d1419575-f0f0-4b81-aa11-952cacf37d0f",
+ "id": "bundle--28777e26-cb12-4e2c-b1eb-8d91dc597b37",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6",
"created": "2023-09-28T20:12:09.661Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:12:09.661Z",
+ "modified": "2025-04-16T23:05:31.952Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
"target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json b/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json
index b99145f424..d774edd6f7 100644
--- a/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json
+++ b/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ef0b0be2-ecb9-412d-8c55-416706ae067d",
+ "id": "bundle--fbe47251-bc87-47a9-b52c-84ae1723ae9b",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-21T16:44:46.032Z",
+ "modified": "2025-04-16T23:05:32.168Z",
"description": "Communication authenticity will ensure that any messages tampered with through AiTM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various AiTM procedures.\n",
"relationship_type": "mitigates",
"source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
"target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json b/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json
index 87879361a5..968c7cda56 100644
--- a/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json
+++ b/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--fa7dd62a-f6fe-4177-a428-b0b2c523cc76",
+ "id": "bundle--23b10d56-86f5-454a-8770-555672746d8e",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.147Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:32.381Z",
"description": "Use file system access controls to protect system and application folders.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
"target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c.json b/ics-attack/relationship/relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c.json
index af9f22762d..afa0732a35 100644
--- a/ics-attack/relationship/relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c.json
+++ b/ics-attack/relationship/relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--2d947562-c85c-4c73-85f4-7fd56f527473",
+ "id": "bundle--870ae8fc-d52d-47ad-964e-8e9d6c8fb713",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c",
"created": "2023-09-29T16:45:42.977Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:45:42.977Z",
+ "modified": "2025-04-16T23:05:32.577Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb",
"target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846.json b/ics-attack/relationship/relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846.json
index f353a13737..1672712a67 100644
--- a/ics-attack/relationship/relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846.json
+++ b/ics-attack/relationship/relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a3fbd3ab-b032-4725-ad58-c344f52a7ce9",
+ "id": "bundle--34dba996-006d-4c16-90b0-b82c08ba3d9e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846",
"created": "2023-09-29T18:47:39.450Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T18:47:39.450Z",
+ "modified": "2025-04-16T23:05:32.808Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377",
"target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138.json b/ics-attack/relationship/relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138.json
index 56a2bd6d39..72d7fd9bd5 100644
--- a/ics-attack/relationship/relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138.json
+++ b/ics-attack/relationship/relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--88feba87-88fd-411c-977b-7231811d19fb",
+ "id": "bundle--55aabb5d-3433-4017-9795-a161175e1516",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138",
"created": "2023-09-28T20:31:31.498Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:31:31.498Z",
+ "modified": "2025-04-16T23:05:32.996Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df.json b/ics-attack/relationship/relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df.json
index 39619b0588..d27253a9c6 100644
--- a/ics-attack/relationship/relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df.json
+++ b/ics-attack/relationship/relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--74d925fb-771c-4290-935c-ba1e69773c10",
+ "id": "bundle--de71c2d1-ca9f-48ce-b54e-59c87908b19d",
"spec_version": "2.0",
"objects": [
{
@@ -12,7 +12,7 @@
"external_references": [
{
"source_name": "Booz Allen Hamilton",
- "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ",
+ "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
"url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
},
{
@@ -24,15 +24,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-04T17:03:24.268Z",
+ "modified": "2025-04-16T23:05:33.197Z",
"description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) opened the breakers at the infected sites, shutting the power off for thousands of businesses and households for around 6 hours. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)",
"relationship_type": "uses",
"source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba",
"target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f7c641d2-3528-4b4a-9612-85827eb0fff8.json b/ics-attack/relationship/relationship--f7c641d2-3528-4b4a-9612-85827eb0fff8.json
new file mode 100644
index 0000000000..462061a8db
--- /dev/null
+++ b/ics-attack/relationship/relationship--f7c641d2-3528-4b4a-9612-85827eb0fff8.json
@@ -0,0 +1,32 @@
+{
+ "type": "bundle",
+ "id": "bundle--c5068719-14c4-4e4b-9e0a-4b3da151120a",
+ "spec_version": "2.0",
+ "objects": [
+ {
+ "type": "relationship",
+ "id": "relationship--f7c641d2-3528-4b4a-9612-85827eb0fff8",
+ "created": "2024-11-20T23:29:22.542Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
+ "external_references": [
+ {
+ "source_name": "Dragos FROSTYGOOP 2024",
+ "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.",
+ "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T23:05:33.423Z",
+ "description": "During [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041), the adversary modified victim control system parameters resulting in the loss of heating services to impacted district heating customers.(Citation: Dragos FROSTYGOOP 2024)",
+ "relationship_type": "uses",
+ "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f",
+ "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_attack_spec_version": "3.2.0"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f7d672f6-993b-4036-961d-f6e22e94446c.json b/ics-attack/relationship/relationship--f7d672f6-993b-4036-961d-f6e22e94446c.json
index d3b4449a08..5dad60fa8b 100644
--- a/ics-attack/relationship/relationship--f7d672f6-993b-4036-961d-f6e22e94446c.json
+++ b/ics-attack/relationship/relationship--f7d672f6-993b-4036-961d-f6e22e94446c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c925bc50-be3e-4a0b-953d-db2a989b1f49",
+ "id": "bundle--b7aa2057-4dcc-440f-838f-eda44d31abdd",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f7d672f6-993b-4036-961d-f6e22e94446c",
"created": "2024-04-09T20:48:30.734Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-09T20:48:30.734Z",
+ "modified": "2025-04-16T23:05:33.625Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5",
"target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json b/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json
index d65cc378e2..ede5738756 100644
--- a/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json
+++ b/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--38b6b83a-a003-49ec-b85c-3fc511ba2b76",
+ "id": "bundle--6bd2fcd2-d1a7-4fa4-a143-4242e5191fe6",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-09-12T19:53:14.409Z",
+ "modified": "2025-04-16T23:05:33.846Z",
"description": "[OilRig](https://attack.mitre.org/groups/G0049) has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. (Citation: Eduard Kovacs May 2018)",
"relationship_type": "uses",
"source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089.json b/ics-attack/relationship/relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089.json
index 5a91f8f6ef..c72dae672e 100644
--- a/ics-attack/relationship/relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089.json
+++ b/ics-attack/relationship/relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--bbd5653d-72e7-442f-bc6c-a214fa3575dc",
+ "id": "bundle--d283ad40-13b7-48f0-b65f-8053a8565e28",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089",
"created": "2023-09-28T20:16:40.519Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:16:40.519Z",
+ "modified": "2025-04-16T23:05:34.045Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json b/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json
index a2a639d57a..5a233ddef2 100644
--- a/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json
+++ b/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--64ec8fa2-0bfe-4995-a072-5ecf1e84cc0f",
+ "id": "bundle--1f4e963e-8430-437d-8b50-a43ea9e55791",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--f862418a-e7b4-4783-8949-7145f3dee665",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--f862418a-e7b4-4783-8949-7145f3dee665",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.104Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:34.272Z",
"description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
"target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702.json b/ics-attack/relationship/relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702.json
index 79b5fa94f1..3bc3da786b 100644
--- a/ics-attack/relationship/relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702.json
+++ b/ics-attack/relationship/relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--5754a84e-1783-456f-a9eb-f684b20517f2",
+ "id": "bundle--2a214752-923f-4316-8c8b-48d66214e23b",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702",
"created": "2023-03-22T15:52:30.607Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-22T15:52:30.607Z",
+ "modified": "2025-04-16T23:05:34.484Z",
"description": "Devices and programs should validate the content of any remote parameter changes, including those from HMIs, control servers, or engineering workstations.(Citation: PLCTop20 Mar 2023)",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517",
"target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json b/ics-attack/relationship/relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json
index 7a61dc1e83..a2bc3a1472 100644
--- a/ics-attack/relationship/relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json
+++ b/ics-attack/relationship/relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--7a5cdce6-1fb2-46a5-8ef4-9036b489cc75",
+ "id": "bundle--c5a4a0b4-ab33-48d8-82b3-9d19b63061bd",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T16:09:42.474Z",
+ "modified": "2025-04-16T23:05:34.706Z",
"description": "Monitor network traffic for ICS functions related to write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f92764db-a880-4726-9d28-a035170f790c.json b/ics-attack/relationship/relationship--f92764db-a880-4726-9d28-a035170f790c.json
index 196ca70a27..e8edf46513 100644
--- a/ics-attack/relationship/relationship--f92764db-a880-4726-9d28-a035170f790c.json
+++ b/ics-attack/relationship/relationship--f92764db-a880-4726-9d28-a035170f790c.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f0e4b4d5-8398-4627-abb0-ec673d3c9f64",
+ "id": "bundle--2dd84553-2d58-44eb-8a30-c3471ab6d0de",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f92764db-a880-4726-9d28-a035170f790c",
"created": "2023-09-28T21:22:35.236Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:22:35.236Z",
+ "modified": "2025-04-16T23:05:34.905Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json b/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json
index a0ea41934c..feae20e5fb 100644
--- a/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json
+++ b/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--41da598a-ca17-4e9c-920c-4f7f17596d82",
+ "id": "bundle--5d1f2129-9ca2-4fb9-8813-93582a6914f3",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--f951d934-d555-45e9-a564-27b84518cae4",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--f951d934-d555-45e9-a564-27b84518cae4",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.070Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:35.106Z",
"description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a",
"target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json b/ics-attack/relationship/relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json
index d4b7d8fc56..88eeda482c 100644
--- a/ics-attack/relationship/relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json
+++ b/ics-attack/relationship/relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--f1ff2ce6-3f64-4bb8-bdb7-1ec7657b84d8",
+ "id": "bundle--8a3514ab-1a25-44c7-a3a8-c453164c2510",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T14:34:29.743Z",
+ "modified": "2025-04-16T23:05:35.314Z",
"description": "Monitor for unexpected ICS protocol command functions to controllers from existing master devices (including from new processes) or from new devices. The latter is like detection for [Rogue Master](https://attack.mitre.org/techniques/T0848) but requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).\n\nMonitoring for unexpected or problematic values below the function level will provide better insights into potentially malicious activity but at the cost of additional false positives depending on the underlying operational process.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b.json b/ics-attack/relationship/relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b.json
index c704d33215..0159d15ee9 100644
--- a/ics-attack/relationship/relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b.json
+++ b/ics-attack/relationship/relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6bd45559-9bd3-4dbc-9bbf-3ccc2770e67e",
+ "id": "bundle--dc266882-0a89-4a95-a63c-6f86d30c231e",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b",
"created": "2023-09-28T19:48:37.072Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:48:37.072Z",
+ "modified": "2025-04-16T23:05:35.518Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json b/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json
index 0ca6d26dfd..e4137a3251 100644
--- a/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json
+++ b/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--cfc2cad9-86ca-4fd4-a21a-5c6cfeda1b3d",
+ "id": "bundle--b583040c-0a59-42fa-ba34-b330f32cc660",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.185Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:35.743Z",
"description": "Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
"target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json b/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json
index 0cc0a29bbb..20da42bc40 100644
--- a/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json
+++ b/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--27bba81d-e2ca-404c-abc5-4e5be85ee125",
+ "id": "bundle--934d126b-46ee-421b-9409-9860d53d08c8",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.184Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:35.951Z",
"description": "Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a",
"target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json b/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json
index 617229b021..f2acb119f8 100644
--- a/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json
+++ b/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--ee813824-ac79-4f67-b025-fe46084efe86",
+ "id": "bundle--39b5684c-17b1-4634-9c04-75249d069767",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-03-08T22:28:50.588Z",
+ "modified": "2025-04-16T23:05:36.158Z",
"description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fa726dae-84da-4500-8516-1522da2c6fa4.json b/ics-attack/relationship/relationship--fa726dae-84da-4500-8516-1522da2c6fa4.json
index 6b96743a1b..3a57f5d0ea 100644
--- a/ics-attack/relationship/relationship--fa726dae-84da-4500-8516-1522da2c6fa4.json
+++ b/ics-attack/relationship/relationship--fa726dae-84da-4500-8516-1522da2c6fa4.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--02a3f67b-19f1-4bdc-acca-2b68f9dd0285",
+ "id": "bundle--85cdecc4-6af1-4a4c-9413-41076a9b2a6c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--fa726dae-84da-4500-8516-1522da2c6fa4",
"created": "2024-03-26T15:41:14.121Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-26T15:41:14.121Z",
+ "modified": "2025-04-16T23:05:36.403Z",
"description": "Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. ",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"target_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0.json b/ics-attack/relationship/relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0.json
index 1f552949db..a15c372ed0 100644
--- a/ics-attack/relationship/relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0.json
+++ b/ics-attack/relationship/relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--a557459c-25f9-4fef-b2b0-017bdfa130e6",
+ "id": "bundle--27a7906a-eee9-404f-8527-f430d7d4f69a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0",
"created": "2023-09-29T16:28:04.180Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T16:28:04.180Z",
+ "modified": "2025-04-16T23:05:36.593Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fad25140-73de-40d5-a010-3464188db973.json b/ics-attack/relationship/relationship--fad25140-73de-40d5-a010-3464188db973.json
index 95faaabf21..7b8228e714 100644
--- a/ics-attack/relationship/relationship--fad25140-73de-40d5-a010-3464188db973.json
+++ b/ics-attack/relationship/relationship--fad25140-73de-40d5-a010-3464188db973.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--6213fd4e-9370-4dbf-9dc0-b119cd3299eb",
+ "id": "bundle--7230ac94-14d9-47a2-a7b8-5c33c4652663",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--fad25140-73de-40d5-a010-3464188db973",
"created": "2023-09-25T20:51:07.162Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-25T20:51:07.162Z",
+ "modified": "2025-04-16T23:05:36.807Z",
"description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and\u00a0User Account Management.",
"relationship_type": "mitigates",
"source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
"target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fadbdca3-3c98-497c-a156-e53b89664359.json b/ics-attack/relationship/relationship--fadbdca3-3c98-497c-a156-e53b89664359.json
index 1c8d7072dd..204cb52571 100644
--- a/ics-attack/relationship/relationship--fadbdca3-3c98-497c-a156-e53b89664359.json
+++ b/ics-attack/relationship/relationship--fadbdca3-3c98-497c-a156-e53b89664359.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--c27dbdc3-7c30-4768-a4d2-59b380103b61",
+ "id": "bundle--1422cec8-1f39-47bf-b054-7fd351f30393",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--fadbdca3-3c98-497c-a156-e53b89664359",
"created": "2023-09-28T20:16:55.038Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T20:16:55.038Z",
+ "modified": "2025-04-16T23:05:37.012Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
"target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--faf163b6-4e35-43d6-9c0c-83d91d215854.json b/ics-attack/relationship/relationship--faf163b6-4e35-43d6-9c0c-83d91d215854.json
index a81cee8c8d..ca84d910f8 100644
--- a/ics-attack/relationship/relationship--faf163b6-4e35-43d6-9c0c-83d91d215854.json
+++ b/ics-attack/relationship/relationship--faf163b6-4e35-43d6-9c0c-83d91d215854.json
@@ -1,12 +1,13 @@
{
"type": "bundle",
- "id": "bundle--bc8e7177-ecdd-4535-ba04-50f2cec01feb",
+ "id": "bundle--fb70da2c-47f7-48bf-91c7-37fa7fa1cb87",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--faf163b6-4e35-43d6-9c0c-83d91d215854",
"created": "2024-09-11T22:57:39.900Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
@@ -18,16 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-09-11T22:57:39.900Z",
+ "modified": "2025-04-16T23:05:37.227Z",
"description": "[Fuxnet](https://attack.mitre.org/software/S1157) physically destroyed NAND memory chips on impacted devices through repeated bit-flip operations.(Citation: Claroty Fuxnet 2024)",
"relationship_type": "uses",
"source_ref": "malware--931e2489-8078-4f9f-85b2-a9211950e75b",
"target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json b/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json
index e9a9bcd558..77499ee34a 100644
--- a/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json
+++ b/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--6394e660-fea7-4454-9f3e-4cbe11cc3a46",
+ "id": "bundle--4d25e4b1-3b34-43d8-acd1-61f8500be67c",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:58:34.751Z",
+ "modified": "2025-04-16T23:05:37.428Z",
"description": "Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1.json b/ics-attack/relationship/relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1.json
index 655007c7e6..6253dfc030 100644
--- a/ics-attack/relationship/relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1.json
+++ b/ics-attack/relationship/relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--981a4842-806a-4ad7-8280-61cd438b9558",
+ "id": "bundle--e82d4e3a-7abf-493b-b01a-7b839b2fb131",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1",
"created": "2023-09-29T17:38:28.664Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-29T17:38:28.664Z",
+ "modified": "2025-04-16T23:05:37.622Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4",
"target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json b/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json
index ac9263ccf0..17899b42fb 100644
--- a/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json
+++ b/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--22c26c26-6a6c-48d1-b24b-17f1f106269b",
+ "id": "bundle--395d6647-1ef9-48eb-9d25-d5ba8c667c2b",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T17:15:27.767Z",
+ "modified": "2025-04-16T23:05:37.853Z",
"description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json b/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json
index 50bdd166d7..c7b329a0ab 100644
--- a/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json
+++ b/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d4a841ff-5481-426c-a6d9-bb9ce51b01c3",
+ "id": "bundle--15812bcf-6019-43a7-9a77-159c9e00882d",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:55:14.825Z",
+ "modified": "2025-04-16T23:05:38.056Z",
"description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json b/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json
index 77eb399ffb..517e37cc5b 100644
--- a/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json
+++ b/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--75122798-b8e3-4cc8-a1e8-8b8593bf1e77",
+ "id": "bundle--69763f1d-065e-4451-85be-08ea6a86a819",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-09-12T19:53:14.410Z",
+ "modified": "2025-04-16T23:05:38.310Z",
"description": "[ALLANITE](https://attack.mitre.org/groups/G1000) leverages watering hole attacks to gain access into electric utilities. (Citation: Eduard Kovacs May 2018)",
"relationship_type": "uses",
"source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json b/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json
index e340f635ac..cf89846091 100644
--- a/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json
+++ b/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--90680f18-018e-47e7-9489-fb9e02272b7b",
+ "id": "bundle--89a3bf65-1099-4fb5-9d45-9f983b4c9f73",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T16:45:25.119Z",
+ "modified": "2025-04-16T23:05:38.510Z",
"description": "Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
"target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json b/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json
index e2f483a37f..ee015b3ec1 100644
--- a/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json
+++ b/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--b16eebc5-f227-46cb-bbb2-ca17cb527f04",
+ "id": "bundle--e8a4ec73-5d4f-4fe6-915a-7a5a594a39b5",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.111Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:38.722Z",
"description": "Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
"target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fcba6a58-72b0-4d54-a887-740624e22f6f.json b/ics-attack/relationship/relationship--fcba6a58-72b0-4d54-a887-740624e22f6f.json
index 407d0d8431..b7f8cbb38d 100644
--- a/ics-attack/relationship/relationship--fcba6a58-72b0-4d54-a887-740624e22f6f.json
+++ b/ics-attack/relationship/relationship--fcba6a58-72b0-4d54-a887-740624e22f6f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--8f6f20da-66ea-46f3-9934-7d1ca97a5dcd",
+ "id": "bundle--adc47901-f7b1-43f6-b7a9-a4582e8f8a7d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--fcba6a58-72b0-4d54-a887-740624e22f6f",
"created": "2024-03-26T15:42:36.840Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-26T15:42:36.840Z",
+ "modified": "2025-04-16T23:05:38.920Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d",
"target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json b/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json
index e6edd5e437..a7ec2aaf04 100644
--- a/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json
+++ b/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--0bae58fa-1382-4200-9a07-3de0e0ee826b",
+ "id": "bundle--26a726ad-ab31-4055-9441-c84b0aa9815a",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.106Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:39.147Z",
"description": "Restrict browsers to limit the capabilities of malicious ads and Javascript.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json b/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json
index 1274e5e326..a561b63371 100644
--- a/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json
+++ b/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--fbe710f5-f73a-4b7e-aa05-9b61d5028dc7",
+ "id": "bundle--91122735-a113-4fd6-808f-4977c178f11c",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55",
"created": "2022-09-27T18:41:43.617Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-27T18:41:43.617Z",
+ "modified": "2025-04-16T23:05:39.362Z",
"description": "Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC\u2019s application program, either directly from the device or from asset management platforms.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d",
"target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "2.1.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fd309395-8fcc-402c-9227-90ac897fd602.json b/ics-attack/relationship/relationship--fd309395-8fcc-402c-9227-90ac897fd602.json
index 4db6c42b49..d2df63bb8e 100644
--- a/ics-attack/relationship/relationship--fd309395-8fcc-402c-9227-90ac897fd602.json
+++ b/ics-attack/relationship/relationship--fd309395-8fcc-402c-9227-90ac897fd602.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--08759c85-c8a8-4745-b57d-971adb12c519",
+ "id": "bundle--abd32f29-12d2-4c8b-857f-dd9dfe92a24d",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--fd309395-8fcc-402c-9227-90ac897fd602",
"created": "2024-03-26T15:41:39.905Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-03-26T15:41:39.905Z",
+ "modified": "2025-04-16T23:05:39.554Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json b/ics-attack/relationship/relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json
index a3ed43d39a..28019bb714 100644
--- a/ics-attack/relationship/relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json
+++ b/ics-attack/relationship/relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--d01d37e7-2fdc-4d5b-a402-f5e08d18316c",
+ "id": "bundle--240ae37b-974c-44ec-9033-c20bbe6d6441",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd",
"created": "2023-10-02T20:23:41.227Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-10-02T20:23:41.227Z",
+ "modified": "2025-04-16T23:05:39.770Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3",
"target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fd7247a4-b299-4948-a3b0-9b43f4f41ae0.json b/ics-attack/relationship/relationship--fd7247a4-b299-4948-a3b0-9b43f4f41ae0.json
index 9ed5a9268e..72ce7bc72c 100644
--- a/ics-attack/relationship/relationship--fd7247a4-b299-4948-a3b0-9b43f4f41ae0.json
+++ b/ics-attack/relationship/relationship--fd7247a4-b299-4948-a3b0-9b43f4f41ae0.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--43c4c300-6c13-499d-87c1-b732b0c70f27",
+ "id": "bundle--5e3087ac-b900-4c5e-a133-e98b6ed21482",
"spec_version": "2.0",
"objects": [
{
@@ -12,22 +12,21 @@
"external_references": [
{
"source_name": "FireEye TRITON 2018",
- "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.",
- "url": "https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html"
+ "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.",
+ "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2024-04-10T15:03:21.507Z",
+ "modified": "2025-04-16T23:05:39.957Z",
"description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) leveraged [Triton](https://attack.mitre.org/software/S1009) to send unauthorized command messages to the Triconex safety controllers.(Citation: FireEye TRITON 2018)",
"relationship_type": "uses",
"source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
"target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json b/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json
index a899efa15b..442db25c60 100644
--- a/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json
+++ b/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--46f39f68-ba7a-4722-9402-aa37c28f860c",
+ "id": "bundle--237d601b-5d1f-4905-9d3f-553568007f69",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-14T19:41:55.062Z",
+ "modified": "2025-04-16T23:05:40.149Z",
"description": "Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
"target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fdc20415-c9a1-405e-80af-3d297894e8fa.json b/ics-attack/relationship/relationship--fdc20415-c9a1-405e-80af-3d297894e8fa.json
index 1b2fc4befe..c78b864148 100644
--- a/ics-attack/relationship/relationship--fdc20415-c9a1-405e-80af-3d297894e8fa.json
+++ b/ics-attack/relationship/relationship--fdc20415-c9a1-405e-80af-3d297894e8fa.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--75b93fb3-e583-42f4-8500-69208df91fec",
+ "id": "bundle--6edea462-7fca-4573-9d74-23fb05c2d966",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--fdc20415-c9a1-405e-80af-3d297894e8fa",
"created": "2023-09-28T19:58:30.849Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:58:30.849Z",
+ "modified": "2025-04-16T23:05:40.401Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json b/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json
index d527047d66..eee7b9bc33 100644
--- a/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json
+++ b/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--884f2fe1-7dd7-416e-9661-5d6e0a9f38b1",
+ "id": "bundle--973c899f-a370-469e-bfc0-0983478b1c93",
"spec_version": "2.0",
"objects": [
{
@@ -12,15 +12,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-09-26T15:08:55.507Z",
+ "modified": "2025-04-16T23:05:40.602Z",
"description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.",
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
"target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f.json b/ics-attack/relationship/relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f.json
index 7d2d6b5740..ded27a6730 100644
--- a/ics-attack/relationship/relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f.json
+++ b/ics-attack/relationship/relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--885e96fa-03a3-4897-93a8-d7130be5c491",
+ "id": "bundle--3561974b-fccc-4eb9-a013-6591450ac6f5",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f",
"created": "2023-09-28T21:10:39.025Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:10:39.025Z",
+ "modified": "2025-04-16T23:05:40.807Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
"target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json b/ics-attack/relationship/relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json
index 79aab36bd6..70c87386a8 100644
--- a/ics-attack/relationship/relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json
+++ b/ics-attack/relationship/relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--f6f7c93c-604b-4651-a963-3f82c410fcd2",
+ "id": "bundle--7bc7c230-2aa2-4654-af48-5cb936b3f27a",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926",
"created": "2023-09-28T21:26:59.998Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:26:59.998Z",
+ "modified": "2025-04-16T23:05:41.023Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json b/ics-attack/relationship/relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json
index 1f9d7020e7..d2cdda06da 100644
--- a/ics-attack/relationship/relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json
+++ b/ics-attack/relationship/relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--987aef36-b81b-4d8a-9d01-924d94061356",
+ "id": "bundle--08403e7e-e911-4dfe-b91b-b4800cf434ae",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb",
"created": "2023-09-28T19:56:26.241Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T19:56:26.241Z",
+ "modified": "2025-04-16T23:05:41.267Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2",
"target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ff107632-751b-4efb-86bd-af670b48d35d.json b/ics-attack/relationship/relationship--ff107632-751b-4efb-86bd-af670b48d35d.json
index a862dce2a7..1b62525063 100644
--- a/ics-attack/relationship/relationship--ff107632-751b-4efb-86bd-af670b48d35d.json
+++ b/ics-attack/relationship/relationship--ff107632-751b-4efb-86bd-af670b48d35d.json
@@ -1,26 +1,25 @@
{
"type": "bundle",
- "id": "bundle--74b1fa51-de09-458e-91ab-1c4385e16ebc",
+ "id": "bundle--dc72756d-7e47-49ee-b50c-eba9a43f4c47",
"spec_version": "2.0",
"objects": [
{
"type": "relationship",
"id": "relationship--ff107632-751b-4efb-86bd-af670b48d35d",
"created": "2023-09-28T21:21:30.387Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2023-09-28T21:21:30.387Z",
+ "modified": "2025-04-16T23:05:41.468Z",
"description": "",
"relationship_type": "targets",
"source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded",
"target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "0.1",
- "x_mitre_attack_spec_version": "3.2.0",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json b/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json
index 97f8d1d1f0..ad67e2df3b 100644
--- a/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json
+++ b/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json
@@ -1,24 +1,23 @@
{
"type": "bundle",
- "id": "bundle--33eb1f7f-a764-4a9a-85f8-46c131a19d82",
+ "id": "bundle--262490fd-5715-488c-bd4d-02ff70ad757b",
"spec_version": "2.0",
"objects": [
{
+ "type": "relationship",
+ "id": "relationship--ff3f0668-98df-44c1-88c2-711f05720eb8",
+ "created": "2020-09-21T17:59:24.739Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "type": "relationship",
- "id": "relationship--ff3f0668-98df-44c1-88c2-711f05720eb8",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "created": "2020-09-21T17:59:24.739Z",
- "modified": "2022-05-06T17:47:24.060Z",
- "relationship_type": "mitigates",
+ "modified": "2025-04-16T23:05:41.656Z",
"description": "Restrict configurations changes and firmware updating abilities to only authorized individuals.\n",
+ "relationship_type": "mitigates",
"source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
"target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
- "x_mitre_attack_spec_version": "2.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json b/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json
index fc97fad6c7..61fe8efb60 100644
--- a/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json
+++ b/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--9e1d40fe-de53-4347-a5cd-cf725c602473",
+ "id": "bundle--b5e7d3b4-3417-40bd-bcc0-ce4a44ac9b5b",
"spec_version": "2.0",
"objects": [
{
@@ -19,15 +19,14 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "modified": "2022-10-12T17:31:37.216Z",
+ "modified": "2025-04-16T23:05:41.879Z",
"description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)",
"relationship_type": "uses",
"source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a",
"target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945.json b/ics-attack/x-mitre-asset/x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945.json
index 9abb0ee3b4..ab1a5e64e3 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--df96e9f6-0928-484e-89a3-1137c70672bc",
+ "id": "bundle--4d47112e-6bf6-4458-b348-3497abadb3e3",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787.json b/ics-attack/x-mitre-asset/x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787.json
index af5e5f3a98..2e1a1facb4 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d04458f9-d26d-4f9d-ad4c-89a86f12a1df",
+ "id": "bundle--78893cda-8d93-4068-8e85-583bd6f6a5cd",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32.json b/ics-attack/x-mitre-asset/x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32.json
index 47ab02fb18..72c918bb83 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--3104d1c3-ea04-4046-9f14-872e29afd7d1",
+ "id": "bundle--648bfae0-66cf-4c59-a150-a5dbfb49c72d",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe.json b/ics-attack/x-mitre-asset/x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe.json
index fa39e1d317..7734d00a8f 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--d584e8d9-58d1-4621-8ba4-4731ee4ffc53",
+ "id": "bundle--19cf51b5-f126-4756-ab70-5638a1019316",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64.json b/ics-attack/x-mitre-asset/x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64.json
index 109b2985c1..92b491516e 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e897fef8-a043-4984-a57b-1070cf4ebaa4",
+ "id": "bundle--0c4377d1-cdcf-47e9-b1b1-908683fae5ec",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json b/ics-attack/x-mitre-asset/x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json
index 58e3923d62..9777bb73e4 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--e75f3057-fc57-4839-9f31-13f398894ca5",
+ "id": "bundle--3f599b1e-4e0f-405f-b138-f132fb24940b",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32.json b/ics-attack/x-mitre-asset/x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32.json
index 2a892f47f4..e3d60442f2 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--1679f774-c608-4db7-8fe0-d2907bfb06fc",
+ "id": "bundle--1c261d08-1e23-404d-90c5-e678fe21acb9",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04.json b/ics-attack/x-mitre-asset/x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04.json
index 57ab252f2d..880e0a0910 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--11f30a5b-b111-45bb-a2c3-51331392329d",
+ "id": "bundle--442d4461-3d81-497f-8abc-4c1cf31b4035",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d.json b/ics-attack/x-mitre-asset/x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d.json
index 9bd92cfcfb..f160703496 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c6386a55-9f6d-45ae-9d9d-52a75507c392",
+ "id": "bundle--f3da77a0-bc54-422c-b17f-1cfec0c4d660",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990.json b/ics-attack/x-mitre-asset/x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990.json
index 97998c1360..7451edb85a 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--c19774bd-95a4-4d15-a73d-a3f93ca3fe5b",
+ "id": "bundle--9ee50a6c-df4a-41d4-a104-56ab7c218ee4",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json b/ics-attack/x-mitre-asset/x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json
index 784d91d5f4..293ee9ccd4 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--693de388-50b8-4687-9ca6-615cf5e1d2b8",
+ "id": "bundle--880ba8e9-e5a6-4d71-b814-72afe76fd515",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499.json b/ics-attack/x-mitre-asset/x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499.json
index e33c30b952..8c0787cdb3 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--23b5da18-4f72-4cd7-b13b-7fdbce402258",
+ "id": "bundle--24e21179-afb4-4bc0-ac6c-4249fffb9b7d",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3.json b/ics-attack/x-mitre-asset/x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3.json
index c73155f382..7159e416db 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--57f0cea8-94cf-4ca4-ad48-06afe1cb26c4",
+ "id": "bundle--577d3116-a53a-4911-9778-6088ffe1e8cb",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json b/ics-attack/x-mitre-asset/x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json
index 7539a5afc7..4c16d7a2d0 100644
--- a/ics-attack/x-mitre-asset/x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json
+++ b/ics-attack/x-mitre-asset/x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json
@@ -1,6 +1,6 @@
{
"type": "bundle",
- "id": "bundle--05ce6982-80b4-47d1-b71c-d27498a8ece0",
+ "id": "bundle--e9e53ade-f9da-4dd7-a6d5-e100953bbf6b",
"spec_version": "2.0",
"objects": [
{
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json
index e292c6ce83..eed1ae639d 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--84eae10c-b1d6-4618-a491-640f185c93c4",
+ "id": "bundle--c3257af6-ddd4-41be-807d-bc70a4f658c8",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.273Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.273Z",
+ "modified": "2025-04-18T15:12:03.268Z",
"name": "Windows Registry Key Deletion",
- "description": "Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)",
+ "description": "The removal of a registry key within the Windows operating system.\n\n*Data Collection Measures:*\n\n- Windows Event Logs\n - Event ID 4658 - Registry Key Handle Closed: Captures when a handle to a registry key is closed, which may indicate deletion.\n - Event ID 4660 - Object Deleted: Logs when a registry key is deleted.\n- Sysmon (System Monitor) for Windows\n - Sysmon Event ID 12 - Registry Key Deleted: Logs when a registry key is removed.\n - Sysmon Event ID 13 - Registry Value Deleted: Captures removal of specific registry values.\n- Endpoint Detection and Response (EDR) Solutions\n - Monitor registry deletions for suspicious behavior.",
"x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json
index 268305a5db..971e69ea31 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json
@@ -1,15 +1,9 @@
{
"type": "bundle",
- "id": "bundle--ff8c4990-3ec6-4ea8-9351-4c93e0155c86",
+ "id": "bundle--2c86b040-dad6-4f8c-a32c-63718674c04b",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-20T20:18:06.745Z",
- "name": "Network Connection Creation",
- "description": "Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)",
- "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
- "x_mitre_deprecated": false,
- "x_mitre_version": "1.1",
"type": "x-mitre-data-component",
"id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
"created": "2021-10-20T15:05:19.274Z",
@@ -18,8 +12,19 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:11:23.639Z",
+ "name": "Network Connection Creation",
+ "description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.",
+ "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json
index 79cca1e0c2..0f799efb32 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--d7ff23eb-217b-4bfe-8927-8ce67252fbaa",
+ "id": "bundle--ab0c176a-b157-47f2-a843-1c5db76738a8",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.273Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.273Z",
+ "modified": "2025-04-18T15:10:07.996Z",
"name": "File Access",
- "description": "Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)",
+ "description": "To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: \n\n- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.\n- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).\n- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows).\n- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).\n- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).\n\nThis data component can be collected through the following measures:\n\nWindows\n\n- Windows Event Logs: Event ID 4663: Captures file system auditing details, including who accessed the file, access type, and file name.\n- Sysmon:\n - Event ID 11: Logs file creation time changes.\n - Event ID 1 (process creation): Can provide insight into files executed.\n- PowerShell: Commands to monitor file access in real-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}`\n\nLinux\n\n- Auditd: Monitor file access events using audit rules: `auditctl -w /path/to/file -p rwxa -k file_access`\n- View logs: `ausearch -k file_access`\n- Inotify: Use inotify to track file access on Linux: `inotifywait -m /path/to/watch -e access`\n\nmacOS\n\n- Unified Logs: Monitor file access using the macOS Unified Logging System.\n- FSEvents: File System Events can track file accesses: `fs_usage | grep open`\n\nNetwork Devices\n\n- SMB/CIFS Logs: Monitor file access over network shares using logs from SMB or CIFS protocol.\n- NAS Logs: Collect logs from network-attached storage systems for file access events.\n\nSIEM Integration\n\n- Collect file access logs from all platforms (Windows, Linux, macOS) and centralize in a SIEM for correlation and analysis.",
"x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json
index 661c58be86..8a5aaba1fa 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--941e00fe-84e3-41d4-96dc-fba07aa763c9",
+ "id": "bundle--697a1979-9f59-4ca5-8e04-f58162ecc3a4",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.273Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.273Z",
+ "modified": "2025-04-18T15:10:18.072Z",
"name": "File Creation",
- "description": "Initial construction of a new file (ex: Sysmon EID 11)",
+ "description": "A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). \n\nThis data component can be collected through the following measures:\n\nWindows\n\n- Sysmon: Event ID 11: Logs file creation events, capturing details like the file path, hash, and creation time.\n- Windows Event Log: Enable \"Object Access\" auditing in Group Policy to track file creation under Event ID 4663.\n- PowerShell: Real-time monitoring of file creation:`Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}`\n\nLinux\n\n- Auditd: Use audit rules to monitor file creation: `auditctl -w /path/to/directory -p w -k file_creation`\n- View logs: `ausearch -k file_creation`\n- Inotify: Monitor file creation with inotifywait: `inotifywait -m /path/to/watch -e create`\n\nmacOS\n\n- Unified Logs: Use the macOS Unified Logging System to capture file creation events.\n- FSEvents: Use File System Events to monitor file creation: `fs_usage | grep create`\n\nNetwork Devices\n\n- NAS Logs: Monitor file creation events on network-attached storage devices.\n- SMB Logs: Collect logs of file creation activities over SMB/CIFS protocols.\n\nSIEM Integration\n\n- Forward logs from all platforms (Windows, Linux, macOS) to a SIEM for central analysis and alerting.",
"x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json
index da24b6f65e..db45acb7d4 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json
@@ -1,23 +1,30 @@
{
"type": "bundle",
- "id": "bundle--55e6f487-00a6-4205-bd3c-5846aac72c0e",
+ "id": "bundle--a3e9d234-7764-4894-a643-0f36bfee45d9",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+ "created": "2021-10-20T15:05:19.274Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.274Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.274Z",
+ "modified": "2025-04-18T15:11:16.672Z",
"name": "Network Traffic Content",
- "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)",
+ "description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n - Wireshark / tcpdump / tshark\n - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n - Zeek (formerly Bro)\n - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n - Suricata / Snort (IDS/IPS with PCAP Logging)\n - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.",
"x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json
index 3a9a7be4b5..c282a270cb 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json
@@ -1,23 +1,27 @@
{
"type": "bundle",
- "id": "bundle--aa582848-00fc-47a6-9cc5-ce802e8c271c",
+ "id": "bundle--6bc76313-7839-4aaf-af1d-82680a877547",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b",
+ "created": "2021-10-20T15:05:19.274Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.274Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.274Z",
+ "modified": "2025-04-18T15:12:23.075Z",
"name": "Logon Session Metadata",
"description": "Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it",
"x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
"x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json
index 9edc9c64df..04302e5963 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json
@@ -1,15 +1,9 @@
{
"type": "bundle",
- "id": "bundle--f474ec25-e5f0-4132-bb42-1c6a755b1356",
+ "id": "bundle--8210d8e9-1819-44ec-8aa5-c9cc9c251f17",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-07T16:15:56.932Z",
- "name": "Process Creation",
- "description": "The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)",
- "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
- "x_mitre_deprecated": false,
- "x_mitre_version": "1.1",
"type": "x-mitre-data-component",
"id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
"created": "2021-10-20T15:05:19.272Z",
@@ -18,8 +12,19 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:10:27.797Z",
+ "name": "Process Creation",
+ "description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - EDRs provide process telemetry, tracking execution flows and arguments.\n- Windows Event Logs:\n - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process.\n- Sysmon (Windows):\n - Event ID 1 (Process Creation): Provides detailed logging\n- Linux/macOS Monitoring:\n - AuditD (execve syscall): Logs process creation.\n - eBPF/XDP: Used for low-level monitoring of system calls related to process execution.\n - OSQuery: Allows SQL-like queries to track process events (process_events table).\n - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS.\n- Network-Based Monitoring:\n - Zeek (Bro) Logs: Captures network-based process execution related to remote shells.\n - Syslog/OSSEC: Tracks execution of processes on distributed systems.\n- Behavioral SIEM Rules:\n - Monitor process creation for uncommon binaries in user directories.\n - Detect processes with suspicious command-line arguments. ",
+ "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json
index 8ca5d7904e..dd6d8734d1 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--b0bcd4d4-46d5-4510-8693-143599c54b33",
+ "id": "bundle--f6824120-7b07-4286-8465-07491ad84e4d",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.273Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.273Z",
+ "modified": "2025-04-18T15:12:36.536Z",
"name": "Drive Creation",
- "description": "Initial construction of a drive letter or mount point to a data storage device",
+ "description": "The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples: \n\n- USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter `E:\\` on a Windows machine.\n- Network Drive Mapping: A network share `\\\\server\\share` is mapped to the drive `Z:\\`.\n- Virtual Drive Creation: A virtual disk is mounted on `/mnt/virtualdrive` using an ISO image or a virtual hard disk (VHD).\n- Cloud Storage Mounting: Google Drive is mounted as `G:\\` on a Windows machine using a cloud sync tool.\n- External Storage Integration: An external HDD or SSD is connected and assigned `/mnt/external` on a Linux system.\n\nThis data component can be collected through the following measures:\n\nWindows Event Logs\n\n- Relevant Events:\n - Event ID 98: Logs the creation of a volume (mount or new drive letter assignment).\n - Event ID 1006: Logs removable storage device insertions.\n- Configuration: Enable \"Removable Storage Events\" in the Group Policy settings:\n`Computer Configuration > Administrative Templates > System > Removable Storage Access`\n\nLinux System Logs\n\n- Command-Line Monitoring: Use `dmesg` or `journalctl` to monitor mount events.\n\n- Auditd Configuration: Add audit rules to track mount points.\n- Logs can be reviewed in /var/log/audit/audit.log.\n\nmacOS System Logs\n\n- Unified Logs: Monitor system logs for mount activity:\n- Command-Line Tools: Use `diskutil list` to verify newly created or mounted drives.\n\nEndpoint Detection and Response (EDR) Tools\n\n- EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events.\n\nSIEM Tools\n\n- Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities.",
"x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json
index 800e453f4d..76c3b062a2 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json
@@ -1,26 +1,26 @@
{
"type": "bundle",
- "id": "bundle--b38e0eb6-4841-425d-a831-c96605654d86",
+ "id": "bundle--c78d85bc-9778-428a-b743-f3878eb1fb90",
"spec_version": "2.0",
"objects": [
{
- "x_mitre_domains": [
- "ics-attack"
- ],
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
+ "created": "2022-05-11T16:22:58.802Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2022-05-11T16:22:58.802Z",
- "created": "2022-05-11T16:22:58.802Z",
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
+ "modified": "2025-04-16T21:26:36.694Z",
"name": "Process/Event Alarm",
"description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)",
- "x_mitre_version": "1.0",
"x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json
index dfb0fd3f4e..543b2f2e37 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json
@@ -1,23 +1,28 @@
{
"type": "bundle",
- "id": "bundle--6f397a72-1986-4896-b167-6908140d5a26",
+ "id": "bundle--f1d63fb8-7511-4af1-8c4e-28aa1e406c97",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.273Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.273Z",
+ "modified": "2025-04-18T15:12:35.797Z",
"name": "Drive Modification",
- "description": "Changes made to a drive letter or mount point of a data storage device",
+ "description": "The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples: \n\n- Drive Letter Reassignment: A USB drive previously assigned `E:\\` is reassigned to `D:\\` on a Windows machine.\n- Mount Point Change: On a Linux system, a mounted storage device at `/mnt/external` is moved to `/mnt/storage`.\n- Drive Permission Changes: A shared drive's permissions are modified to allow write access for unauthorized users or processes.\n- Renaming of a Drive: A network drive labeled \"HR_Share\" is renamed to \"Shared_Resources.\"\n- Modification of Cloud-Integrated Drives: A cloud storage mount such as Google Drive is modified to sync only specific folders.\n\nThis data component can be collected through the following measures:\n\nWindows Event Logs\n\n- Relevant Events:\n - Event ID 98: Indicates changes to a volume (e.g., drive letter reassignment).\n - Event ID 1006: Logs permission modifications or changes to removable storage.\n- Configuration: Enable \"Storage Operational Logs\" in the Event Viewer:\n`Applications and Services Logs > Microsoft > Windows > Storage-Tiering > Operational`\n\nLinux System Logs\n\n- Auditd Configuration: Add audit rules to track changes to mounted drives: `auditctl -w /mnt/ -p w -k drive_modification`\n- Command-Line Monitoring: Use `dmesg` or `journalctl` to observe drive modifications.\n\nmacOS System Logs\n\n- Unified Logs: Collect mount or drive modification events: `log show --info | grep \"Volume modified\"`\n- Command-Line Monitoring: Use `diskutil` to track changes:\n\nEndpoint Detection and Response (EDR) Tools\n\n- Configure policies in EDR solutions to monitor and log changes to drive configurations or attributes.\n\nSIEM Tools\n\n- Aggregate logs from multiple systems into a centralized platform like Splunk to correlate events and alert on suspicious drive modification activities.\n",
"x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json
index eb38762bce..1f7dcdd75d 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--c671e671-35c6-49cd-ba5a-e94c47b4e2d0",
+ "id": "bundle--8ac24aa2-268a-4f36-87bb-fcac1e06f7c4",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.273Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.273Z",
+ "modified": "2025-04-18T15:10:54.408Z",
"name": "Service Creation",
- "description": "Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)",
+ "description": "The registration of a new service or daemon on an operating system.\n\n*Data Collection Measures:*\n\n- Windows Event Logs\n - Event ID 4697 - Captures the creation of a new Windows service.\n - Event ID 7045 - Captures services installed by administrators or adversaries.\n - Event ID 7034 - Could indicate malicious service modification or exploitation.\n- Sysmon Logs\n - Sysmon Event ID 1 - Process Creation (captures service executables).\n - Sysmon Event ID 4 - Service state changes (detects service installation).\n - Sysmon Event ID 13 - Registry modifications (captures service persistence changes).\n- PowerShell Logging\n - Monitor `New-Service` and `Set-Service` PowerShell cmdlets in Event ID 4104 (Script Block Logging).\n- Linux/macOS Collection Methods\n - AuditD & Syslog Daemon Logs (`/var/log/syslog`, `/var/log/messages`, `/var/log/daemon.log`)\n - AuditD Rules:\n - `auditctl -w /etc/systemd/system -p wa -k service_creation`\n - Detects changes to `systemd` service configurations.\n- Systemd Journals (`journalctl -u `)\n - Captures newly created systemd services.\n- LaunchDaemons & LaunchAgents (macOS)\n - Monitor `/Library/LaunchDaemons/` and `/Library/LaunchAgents/` for new plist files.",
"x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json
index c8ad63f204..2d05b6d8bc 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json
@@ -1,23 +1,30 @@
{
"type": "bundle",
- "id": "bundle--43a88269-df65-447c-b205-9db1222c6923",
+ "id": "bundle--b8f4be0b-08c2-4a56-945e-7e05af493667",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
+ "created": "2021-10-20T15:05:19.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.272Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.272Z",
+ "modified": "2025-04-18T15:10:34.519Z",
"name": "Process Termination",
- "description": "Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)",
+ "description": "The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - Monitor process termination events.\n- Windows Event Logs:\n - Event ID 4689 (Process Termination) \u2013 Captures when a process exits, including process ID and parent process.\n - Event ID 7036 (Service Control Manager) \u2013 Monitors system service stops.\n- Sysmon (Windows):\n - Event ID 5 (Process Termination) \u2013 Detects when a process exits, including parent-child relationships.\n- Linux/macOS Monitoring:\n - AuditD (`execve`, `exit_group`, `kill` syscalls) \u2013 Captures process termination via command-line interactions.\n - eBPF/XDP: Monitors low-level system calls related to process termination.\n - OSQuery: The processes table can be queried for abnormal exits.",
"x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json
index ba96baa1df..33041106f3 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json
@@ -1,15 +1,9 @@
{
"type": "bundle",
- "id": "bundle--c4cb8e29-3f2c-4cd2-966d-8124a7ff7402",
+ "id": "bundle--12d87c42-9e96-4316-838e-0824ebefdc6d",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-11-01T21:18:51.941Z",
- "name": "File Metadata",
- "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.",
- "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9",
- "x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
"type": "x-mitre-data-component",
"id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5",
"created": "2021-10-20T15:05:19.273Z",
@@ -18,8 +12,18 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.2.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:10:14.725Z",
+ "name": "File Metadata",
+ "description": "contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: \n\n- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\\Windows\\System32\\config\\SAM on Windows.\n- Timestamps: Analyzing the creation, modification, and access timestamps of a file.\n- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.\n- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.\n- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.\n- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.\n\nThis data component can be collected through the following measures:\n\nWindows\n\n- Sysinternals Tools: Use `AccessEnum` or `PSFile` to retrieve metadata about file access and permissions.\n- Windows Event Logs: Enable object access auditing and monitor events like 4663 (Object Access) and 5140 (A network share object was accessed).\n- PowerShell: Use Get-Item or Get-ChildItem cmdlets: `Get-ChildItem -Path \"C:\\Path\\To\\Directory\" -Recurse | Select-Object Name, Length, LastWriteTime, Attributes`\n\nLinux\n\n- File System Commands: Use `ls -l` or stat to retrieve file metadata: `stat /path/to/file`\n- Auditd: Configure audit rules to log metadata access: `auditctl -w /path/to/file -p wa -k file_metadata`\n- Filesystem Integrity Tools: Tools like tripwire or AIDE (Advanced Intrusion Detection Environment) can monitor file metadata changes.\n\nmacOS\n\n- FSEvents: Use FSEvents to track file metadata changes.\n- Endpoint Security Framework (ESF): Capture metadata-related events via ESF APIs.\n- Command-Line Tools: Use ls -l or xattr for file attributes: `ls -l@ /path/to/file`\n\nSIEM Integration\n\n- Forward file metadata logs from endpoint or network devices to a SIEM for centralized analysis.",
+ "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json
index e498a24da4..4e6f369306 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--737e5eb4-2077-41e2-8e24-b0dfe1639011",
+ "id": "bundle--4a4d6871-1dc9-4240-958d-30c0aaf4fe48",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.273Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.273Z",
+ "modified": "2025-04-18T15:10:57.700Z",
"name": "Service Modification",
- "description": "Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)",
+ "description": "Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.\n\n*Data Collection Measures: *\n\n- Windows Event Logs\n - Event ID 7040 - Detects modifications to the startup behavior of a service.\n - Event ID 7045 - Can capture changes made to existing services.\n - Event ID 7036 - Tracks when services start or stop, potentially indicating malicious tampering.\n - Event ID 4697 - Can detect when an adversary reinstalls a service with different parameters.\n- Sysmon Logs\n - Sysmon Event ID 13 - Detects changes to service configurations in the Windows Registry (e.g., `HKLM\\SYSTEM\\CurrentControlSet\\Services\\`).\n - Sysmon Event ID 1 - Can track execution of `sc.exe` or `PowerShell Set-Service`.\n- PowerShell Logging\n - Event ID 4104 (Script Block Logging) - Captures execution of commands like `Set-Service`, `New-Service`, or `sc config`.\n - Command-Line Logging (Event ID 4688) - Tracks usage of service modification commands:\n - `sc config start= auto` \n - `sc qc ` \n- Linux/macOS Collection Methods\n - Systemd Journals (`journalctl -u `) Tracks modifications to systemd service configurations.\n - Daemon Logs (`/var/log/syslog`, `/var/log/messages`, `/var/log/daemon.log`) Captures changes to service state and execution parameters.\n - AuditD Rules for Service Modification \n - Monitor modifications to `/etc/systemd/system/` for new or altered service unit files: `auditctl -w /etc/systemd/system/ -p wa -k service_modification`\n - Track execution of `systemctl` or `service` commands: `auditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl -F key=service_mod`\n - OSQuery for Linux/macOS Monitoring\n - Query modified services using OSQuery\u2019s `processes` or `system_info` tables: `SELECT * FROM systemd_units WHERE state != 'running';`\n - macOS Launch Daemon/Agent Modification\n - Monitor for changes in:\n - `/Library/LaunchDaemons/`\n - `/Library/LaunchAgents/`\n - Track modifications to `.plist` files indicating persistence attempts.",
"x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json
index 114d218a05..9401cf77f6 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json
@@ -1,15 +1,9 @@
{
"type": "bundle",
- "id": "bundle--992df4b5-8cdd-48f7-a5f3-a6b54014cceb",
+ "id": "bundle--b74c46c6-458e-49ce-9187-f28ea4b704aa",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-07T16:14:39.124Z",
- "name": "Command Execution",
- "description": "The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )",
- "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089",
- "x_mitre_deprecated": false,
- "x_mitre_version": "1.1",
"type": "x-mitre-data-component",
"id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
"created": "2021-10-20T15:05:19.273Z",
@@ -18,8 +12,19 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:11:30.145Z",
+ "name": "Command Execution",
+ "description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n - dir \u2013 Lists directory contents.\n - net user \u2013 Queries or manipulates user accounts.\n - tasklist \u2013 Lists running processes.\n- PowerShell\n - Get-Process \u2013 Retrieves processes running on a system.\n - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n - ls \u2013 Lists files in a directory.\n - cat /etc/passwd \u2013 Reads the user accounts file.\n - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n - docker exec \u2013 Executes a command inside a running container.\n - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n - open \u2013 Opens files or URLs.\n - dscl . -list /Users \u2013 Lists all users on the system.\n - osascript -e \u2013 Executes AppleScript commands.\n\nThis data component can be collected through the following measures:\n\nEnable Command Logging\n\n- Windows:\n - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" -Name EnableScriptBlockLogging -Value 1`\n - Enable Windows Event Logging:\n - Event ID 4688: Tracks process creation, including command-line arguments.\n - Event ID 4104: Logs PowerShell script block execution.\n- Linux/macOS:\n - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT=\"%d/%m/%y %T \"`, `export PROMPT_COMMAND='history -a; history -w'`\n - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec`\n- Containers:\n - Use runtime-specific tools like Docker\u2019s --log-driver or Kubernetes Audit Logs to capture exec commands.\n\nIntegrate with Centralized Logging\n\n- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688:\n`index=windows EventID=4688 CommandLine=*`\n\nUse Endpoint Detection and Response (EDR) Tools\n\n- Monitor command executions via EDR solutions \n\nDeploy Sysmon for Advanced Logging (Windows)\n\n- Use Sysmon's Event ID 1 to log process creation with command-line arguments",
+ "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json
index 0cb5dc4649..da324a8120 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json
@@ -1,23 +1,27 @@
{
"type": "bundle",
- "id": "bundle--dbe671ea-e3ba-4180-85b6-fe20df467e1e",
+ "id": "bundle--74137d01-435f-4e56-b166-30216123d515",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.273Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.273Z",
+ "modified": "2025-04-18T15:10:51.004Z",
"name": "Service Metadata",
"description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.",
"x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
"x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json
index 7ecbdadbf3..2d8027263f 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json
@@ -1,23 +1,26 @@
{
"type": "bundle",
- "id": "bundle--e3138552-54a1-4636-812b-0af47b568eb2",
+ "id": "bundle--ac6f62d9-7cac-4253-815c-14f2e5e3e700",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc",
+ "created": "2021-10-20T15:05:19.271Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.271Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.271Z",
+ "modified": "2025-04-18T15:11:39.543Z",
"name": "Scheduled Job Metadata",
"description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.",
"x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "enterprise-attack"
+ ],
"x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json
index e6efa2b209..d3eb015446 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--8f5db0c5-0380-422e-bde5-fa5929ca12c3",
+ "id": "bundle--17e6f90f-99cd-4494-b695-216719c68af6",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.273Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.273Z",
+ "modified": "2025-04-18T15:10:11.410Z",
"name": "File Modification",
- "description": "Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)",
+ "description": "Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: \n\n- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\\Windows\\System32\\drivers\\etc\\hosts` on Windows.\n- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows.\n- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.\n- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows.\n- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries.\n\nThis data component can be collected through the following measures:\n\nWindows\n\n- Event Logs: Enable file system auditing to monitor file modifications using Security Event ID 4670 (File System Audit) or Sysmon Event ID 2 (File creation time changed).\n- PowerShell: Use Get-ItemProperty or Get-Acl cmdlets to monitor file properties: `Get-Item -Path \"C:\\path\\to\\file\" | Select-Object Name, Attributes, LastWriteTime`\n\nLinux\n\n- File System Monitoring: Use tools like auditd with rules to monitor file modifications: `auditctl -w /path/to/file -p wa -k file_modification`\n- Inotify: Use inotifywait to watch for real-time changes to files or directories: `inotifywait -m /path/to/file`\n\nmacOS\n\n- Endpoint Security Framework (ESF): Monitor file modification events using ESF APIs.\n- Audit Framework: Configure audit rules to track file changes.\n- Command-Line Tools: Use fs_usage to monitor file activities: `fs_usage -w /path/to/file`\n\nSIEM Tools\n\n- Collect logs from endpoint agents (e.g., Sysmon, Auditd) and file servers to centralize file modification event data.",
"x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json
index 68f91905cd..fdcde9d248 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--7cde91ea-fe6c-46fc-a66d-30d6fdc06151",
+ "id": "bundle--23148c96-1078-4fa5-a015-40a99da59eca",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-21T21:47:33.604Z",
- "name": "Software",
- "description": "This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).",
- "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack"
- ],
- "x_mitre_version": "1.0",
"type": "x-mitre-data-component",
"id": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d",
"created": "2022-09-23T16:36:08.632Z",
@@ -21,8 +12,17 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:11:53.563Z",
+ "name": "Software",
+ "description": "This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).",
+ "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json
index 8b52ec2242..0f4281e3a2 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json
@@ -1,26 +1,26 @@
{
"type": "bundle",
- "id": "bundle--d10e3ea8-62a4-48b2-b8ae-300ce2750396",
+ "id": "bundle--dc34a511-0389-411f-b7a8-11f9b676946e",
"spec_version": "2.0",
"objects": [
{
- "x_mitre_domains": [
- "ics-attack"
- ],
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
+ "created": "2022-05-11T16:22:58.802Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2022-05-11T16:22:58.802Z",
- "created": "2022-05-11T16:22:58.802Z",
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
+ "modified": "2025-04-16T21:26:36.842Z",
"name": "Process History/Live Data",
"description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices",
- "x_mitre_version": "1.0",
"x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json
index 92bd8b703a..fdd03fac2b 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json
@@ -1,15 +1,9 @@
{
"type": "bundle",
- "id": "bundle--df3fde49-6e55-43a0-a1b8-a0600e78ee15",
+ "id": "bundle--6d210001-0fec-48b5-afe2-54b02719f2ce",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-04-21T15:41:36.287Z",
- "name": "OS API Execution",
- "description": "Operating system function/method calls executed by a process",
- "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
- "x_mitre_deprecated": false,
- "x_mitre_version": "1.0",
"type": "x-mitre-data-component",
"id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
"created": "2021-10-20T15:05:19.272Z",
@@ -18,8 +12,19 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:10:31.145Z",
+ "name": "OS API Execution",
+ "description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n - Leverage tools to monitor API execution behaviors at the process level.\n - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation.\n- Process Monitor (ProcMon):\n - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis.\n- Windows Event Logs:\n - Use Event IDs from Windows logs for specific API-related activities:\n - Event ID 4688: A new process has been created (can indirectly infer API use).\n - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs).\n- Dynamic Analysis Tools:\n - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation.\n- Host-Based Logs:\n - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to.\n- Runtime Monitors:\n - Runtime security tools like Falco can monitor system-level calls for API execution.\n- Debugging and Tracing:\n - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.",
+ "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json
index 08f11d0662..ba250c97fc 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--21c34df0-645e-48bc-8200-dba7debc99f3",
+ "id": "bundle--343c4e3b-ee8c-4fec-877c-d28ee55c320e",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+ "created": "2021-10-20T15:05:19.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.272Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.272Z",
+ "modified": "2025-04-18T15:09:35.474Z",
"name": "Application Log Content",
- "description": "Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)",
+ "description": "Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: \n\n- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).\n- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).\n- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.\n- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.\n- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.\n\nThis data component can be collected through the following measures:\n\nConfigure Application Logging\n\n- Enable logging within the application or service.\n- Examples:\n - Web Servers: Enable access and error logs in NGINX or Apache.\n - Email Systems: Enable audit logging in Microsoft Exchange or Gmail.\n\nCentralized Log Management\n\n- Use log management solutions like Splunk, or a cloud-native logging solution.\n- Configure the application to send logs to a centralized system for analysis.\n\nCloud-Specific Collection\n\n- Use services like AWS CloudWatch, Azure Monitor, or Google Cloud Operations Suite for cloud-based applications.\n- Ensure logging is enabled for all critical resources (e.g., API calls, IAM changes).\n\nSIEM Integration\n\n- Integrate application logs with a SIEM platform (e.g., Splunk, QRadar) for real-time correlation and analysis.\n- Use parsers to standardize log formats and extract key fields like timestamps, user IDs, and error codes.",
"x_mitre_data_source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json
index 47c37c1653..f5174f6e13 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json
@@ -1,15 +1,9 @@
{
"type": "bundle",
- "id": "bundle--38cdb322-8d98-4e10-8950-c748aa4095bf",
+ "id": "bundle--f347a928-1190-430f-a42b-c646baa5f370",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-07T16:18:20.802Z",
- "name": "Logon Session Creation",
- "description": "Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)",
- "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891",
- "x_mitre_deprecated": false,
- "x_mitre_version": "1.1",
"type": "x-mitre-data-component",
"id": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5",
"created": "2021-10-20T15:05:19.274Z",
@@ -18,8 +12,18 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:12:26.544Z",
+ "name": "Logon Session Creation",
+ "description": "The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples: \n\n- Windows Systems\n - Event ID: 4624\n - Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP).\n - Account Name: JohnDoe\n - Source Network Address: 192.168.1.100\n - Authentication Package: NTLM\n- Linux Systems\n - /var/log/utmp or /var/log/wtmp:\n - Log format: login user [tty] from [source_ip]\n - User: jane\n - IP: 10.0.0.5\n - Timestamp: 2024-12-28 08:30:00\n- macOS Systems\n - /var/log/asl.log or unified logging framework:\n - Log: com.apple.securityd: Authentication succeeded for user 'admin'\n- Cloud Environments\n - Azure Sign-In Logs:\n - Activity: Sign-in successful\n - Client App: Browser\n - Location: Unknown (Country: X)\n- Google Workspace\n - Activity: Login\n - Event Type: successful_login\n - Source IP: 203.0.113.55\n\nThis data component can be collected through the following measures:\n\n- Windows Systems\n - Event Logs: Monitor Security Event Logs using Event ID 4624 for successful logons.\n - PowerShell Example: `Get-EventLog -LogName Security -InstanceId 4624`\n- Linux Systems\n - Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/var/log/auth.log` for logon events.\n - Tools: Use `last` or `who` commands to parse login records.\n- macOS Systems\n - Log Sources: Monitor `/var/log/asl.log` or Apple Unified Logs using the `log show` command.\n - Command Example: `log show --predicate 'eventMessage contains \"Authentication succeeded\"' --info`\n- Cloud Environments\n - Azure AD: Use Azure Monitor to analyze sign-in logs. Example CLI Query: `az monitor log-analytics query -w --analytics-query \"AzureActivity | where ActivityStatus == 'Success' and OperationName == 'Sign-in'\"`\n - Google Workspace: Enable and monitor Login Audit logs from the Admin Console.\n - Office 365: Use Audit Log Search in Microsoft 365 Security & Compliance Center for login-related events.\n- Network Logs\n - Sources: Network authentication mechanisms (e.g., RADIUS or TACACS logs).\n- Enable EDR Monitoring: \n - EDR tools monitor logon session activity, including the creation of new sessions.\n - Configure alerts for: Suspicious logon types (e.g., Logon Type 10 for RDP or Type 5 for Service). Logons from unusual locations, accounts, or devices.\n - Leverage EDR telemetry for session attributes like source IP, session duration, and originating process.",
+ "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json
index 756c684dc5..35866c3660 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json
@@ -1,26 +1,26 @@
{
"type": "bundle",
- "id": "bundle--22096010-4899-4f7b-a669-345ca510bfb5",
+ "id": "bundle--e2fafd8c-373a-4852-a732-6ae5cf75a0aa",
"spec_version": "2.0",
"objects": [
{
- "x_mitre_domains": [
- "ics-attack"
- ],
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
+ "created": "2022-05-11T16:22:58.802Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2022-05-11T16:22:58.802Z",
- "created": "2022-05-11T16:22:58.802Z",
- "type": "x-mitre-data-component",
- "id": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
+ "modified": "2025-04-16T21:26:36.998Z",
"name": "Device Alarm",
"description": "This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes",
- "x_mitre_version": "1.0",
"x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json
index 8decdd12db..00e20e35bf 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json
@@ -1,15 +1,9 @@
{
"type": "bundle",
- "id": "bundle--9d631261-001a-431a-a250-1babcc242d77",
+ "id": "bundle--1505ee59-9abd-4d61-8d46-ec78ba11256b",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-07T16:16:55.269Z",
- "name": "Script Execution",
- "description": "The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)",
- "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e",
- "x_mitre_deprecated": false,
- "x_mitre_version": "1.1",
"type": "x-mitre-data-component",
"id": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd",
"created": "2021-10-20T15:05:19.272Z",
@@ -18,8 +12,18 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:12:46.164Z",
+ "name": "Script Execution",
+ "description": "The execution of a text file that contains code via the interpreter.\n\n*Data Collection Measures:*\n\n- Windows Event Logs:\n - Event ID 4104 (PowerShell Script Block Logging) \u2013 Captures full command-line execution of PowerShell scripts.\n - Event ID 4688 (Process Creation) \u2013 Detects script execution by tracking process launches (`powershell.exe`, `wscript.exe`, `cscript.exe`).\n - Event ID 5861 (Script Execution) \u2013 Captures script execution via Windows Defender AMSI logging.\n- Sysmon (Windows):\n - Event ID 1 (Process Creation) \u2013 Monitors script execution initiated by scripting engines.\n - Event ID 11 (File Creation) \u2013 Detects new script files written to disk before execution.\n- Endpoint Detection and Response (EDR) Tools:\n - Track script execution behavior, detect obfuscated commands, and prevent malicious scripts.\n- PowerShell Logging:\n - Enable Module Logging: Logs all loaded modules and cmdlets.\n - Enable Script Block Logging: Captures complete PowerShell script execution history.\n- SIEM Detection Rules:\n - Detect script execution with obfuscated, encoded, or remote URLs.\n - Alert on script executions using `-EncodedCommand` or `iex(iwr)`.",
+ "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json
index 59ded53a3b..464c2f60d1 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json
@@ -1,23 +1,30 @@
{
"type": "bundle",
- "id": "bundle--35a50ebb-1e4b-4bbc-9b19-575d6a045550",
+ "id": "bundle--dbe4a51a-f724-4782-889c-a7d923346c4e",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+ "created": "2021-10-20T15:05:19.274Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.274Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.274Z",
+ "modified": "2025-04-18T15:11:20.168Z",
"name": "Network Traffic Flow",
- "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)",
+ "description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.\n\n*Data Collection Measures:*\n\n- Network Flow Logs (Metadata Collection)\n - NetFlow \n - Summarized metadata for network conversations (no packet payloads).\n - sFlow (Sampled Flow Logging)\n - Captures sampled packets from switches and routers.\n - Used for real-time traffic monitoring and anomaly detection.\n - Zeek (Bro) Flow Logs\n - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc.\n- Host-Based Collection\n - Sysmon Event ID 3 \u2013 Network Connection Initiated\n - Logs process-level network activity, useful for detecting malicious outbound connections.\n - AuditD (Linux) \u2013 syscall=connect\n - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Flow Monitoring\n - AWS VPC Flow Logs\n - Captures metadata for traffic between EC2 instances, security groups, and internet gateways.\n - Azure NSG Flow Logs / Google VPC Flow Logs\n - Logs ingress/egress traffic for cloud-based resources.",
"x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json
index 4674267634..82c22ae2de 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json
@@ -1,15 +1,9 @@
{
"type": "bundle",
- "id": "bundle--d1981cf8-cf3a-4509-8468-d87b1ba9abf3",
+ "id": "bundle--36265d66-84d6-452d-97d2-9aba94b49a9e",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-07T16:19:46.282Z",
- "name": "User Account Authentication",
- "description": "An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)",
- "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6",
- "x_mitre_deprecated": false,
- "x_mitre_version": "1.1",
"type": "x-mitre-data-component",
"id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e",
"created": "2021-10-20T15:05:19.271Z",
@@ -18,8 +12,18 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:09:42.067Z",
+ "name": "User Account Authentication",
+ "description": "An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.\n\n*Data Collection Measures:*\n\n- Host-Based Authentication Logs\n - Windows Event Logs\n - Event ID 4776 \u2013 NTLM authentication attempt.\n - Event ID 4624 \u2013 Successful user logon.\n - Event ID 4625 \u2013 Failed authentication attempt.\n - Event ID 4648 \u2013 Explicit logon with alternate credentials.\n - Linux/macOS Authentication Logs\n - `/var/log/auth.log`, `/var/log/secure` \u2013 Logs SSH, sudo, and other authentication attempts.\n - AuditD \u2013 Tracks authentication events via PAM modules.\n - macOS Unified Logs \u2013 `/var/db/diagnostics` captures authentication failures.\n- Cloud Authentication Logs\n - Azure AD Logs\n - Sign-in Logs \u2013 Tracks authentication attempts, MFA challenges, and conditional access failures.\n - Audit Logs \u2013 Captures authentication-related configuration changes.\n - Microsoft Graph API \u2013 Provides real-time sign-in analytics.\n - Google Workspace & Office 365\n - Google Admin Console \u2013 `User Login Report` tracks login attempts and failures.\n - Office 365 Unified Audit Logs \u2013 Captures logins across Exchange, SharePoint, and Teams.\n - AWS CloudTrail & IAM\n - Tracks authentication via `AWS IAM AuthenticateUser` and `sts:GetSessionToken`.\n - Logs failed authentications to AWS Management Console and API requests.\n- Container Authentication Monitoring\n - Kubernetes Authentication Logs\n - kubectl audit logs \u2013 Captures authentication attempts for service accounts and admin users.\n - Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) \u2013 Logs IAM authentication events.",
+ "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json
index e165f5d2b7..73ef376520 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--ee66bdf5-a457-4cbe-b463-73476d2e0102",
+ "id": "bundle--1a7be88c-b465-4d3a-be1c-f854da9ab585",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-10-21T21:47:58.629Z",
- "name": "Asset Inventory",
- "description": "This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)",
- "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack"
- ],
- "x_mitre_version": "1.0",
"type": "x-mitre-data-component",
"id": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706",
"created": "2022-09-23T16:34:00.912Z",
@@ -21,8 +12,17 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:11:50.339Z",
+ "name": "Asset Inventory",
+ "description": "This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)",
+ "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json
index 8b52d6e23e..b026bcd5af 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--c29e988e-cdda-4a93-86cd-fab5758277ae",
+ "id": "bundle--f0048205-b4cc-49d8-97a5-0b9a6ad99f8e",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd",
+ "created": "2021-10-20T15:05:19.271Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.271Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.271Z",
+ "modified": "2025-04-18T15:12:52.606Z",
"name": "Firmware Modification",
- "description": "Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)",
+ "description": "Changes made to firmware, which may include its settings, configurations, or underlying data. This can encompass alterations to the Master Boot Record (MBR), Volume Boot Record (VBR), or other firmware components critical to system boot and functionality. Such modifications are often indicators of adversary activity, including malware persistence and system compromise. Examples: \n\n- Changes to Master Boot Record (MBR): Modifying the MBR to load malicious code during the boot process.\n- Changes to Volume Boot Record (VBR): Altering the VBR to redirect boot processes to malicious locations.\n- Firmware Configuration Changes: Modifying BIOS/UEFI settings such as disabling Secure Boot.\n- Firmware Image Tampering: Updating firmware with a malicious or unauthorized image.\n- Logs or Errors Indicating Firmware Changes: Logs showing unauthorized firmware updates or checksum mismatches.\n\nThis data component can be collected through the following measures:\n\n- BIOS/UEFI Logs: Enable and monitor BIOS/UEFI logs to capture settings changes or firmware updates.\n- Firmware Integrity Monitoring: Use tools or firmware security features to detect changes to firmware components.\n- Endpoint Detection and Response (EDR) Solutions: Many EDR platforms can detect abnormal firmware activity, such as changes to MBR/VBR or unauthorized firmware updates.\n- File System Monitoring: Monitor changes to MBR/VBR-related files using tools like Sysmon or auditd.\n - Windows Example (Sysmon): Monitor Event ID 7 (Raw disk access).\n - Linux Example (auditd): `auditctl -w /dev/sda -p wa -k firmware_modification`\n- Network Traffic Analysis: Capture firmware updates downloaded over the network, particularly from untrusted sources. Use network monitoring tools like Zeek or Wireshark to analyze firmware-related traffic.\n- Secure Boot Logs: Collect and analyze Secure Boot logs for signs of tampering or unauthorized configurations. Example: Use PowerShell to retrieve Secure Boot settings on Windows: `Confirm-SecureBootUEFI`\n- Vendor-Specific Firmware Tools: Many hardware vendors provide tools for firmware integrity checks.Examples:\n - Intel Platform Firmware Resilience (PFR).\n - Lenovo UEFI diagnostics.",
"x_mitre_data_source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json
index 7de0f699a6..6c1d63de06 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--b37c02d2-7c2b-4c0b-8dad-11bf4ff38c9a",
+ "id": "bundle--9bed50a8-f9e5-4a33-a4f9-5d547e84feaf",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
+ "created": "2021-10-20T15:05:19.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.272Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.272Z",
+ "modified": "2025-04-18T15:12:16.486Z",
"name": "Module Load",
- "description": "Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)",
+ "description": "When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.\n\n*Data Collection Measures:*\n\n- Event Logging (Windows):\n - Sysmon Event ID 7: Logs when a DLL is loaded into a process.\n - Windows Security Event ID 4688: Captures process creation events, often useful for correlating module loads.\n - Windows Defender ATP: Can provide visibility into suspicious module loads.\n- Event Logging (Linux/macOS):\n - AuditD (`execve` and `open` syscalls): Captures when shared libraries (`.so` files) are loaded.\n - Ltrace/Strace: Monitors process behavior, including library calls (`dlopen`, `execve`).\n - MacOS Endpoint Security Framework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY_DYLD_INSERT_LIBRARIES`).\n- Endpoint Detection & Response (EDR): \n - Provide real-time telemetry on module loads and process injections.\n - Sysinternals Process Monitor (`procmon`): Captures loaded modules and their execution context.\n- Memory Forensics:\n - Volatility Framework (`malfind`, `ldrmodules`): Detects injected DLLs and anomalous module loads.\n - Rekall Framework: Useful for kernel-mode module detection.\n- SIEM and Log Analysis:\n - Centralized log aggregation to correlate suspicious module loads across the environment.\n - Detection rules using correlation searches and behavioral analytics.",
"x_mitre_data_source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json
index f9a7b06234..09e2cb68f5 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--bbfa361b-ed4d-4772-a5f0-1e4b10874067",
+ "id": "bundle--7b7b71bd-d4b4-4ead-bdb5-fecf60fae6c1",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.273Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.273Z",
+ "modified": "2025-04-18T15:11:59.993Z",
"name": "Windows Registry Key Modification",
- "description": "Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)",
+ "description": "Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings.\n\n*Data Collection Measures:*\n\n- Windows Event Logs\n - Event ID 4657 - Registry Value Modified: Logs changes to registry values, including modifications to startup entries, security settings, or system configurations.\n- Sysmon (System Monitor) for Windows\n - Sysmon Event ID 13 - Registry Value Set: Captures changes to specific registry values.\n - Sysmon Event ID 14 - Registry Key & Value Renamed: Logs renaming of registry keys, which may indicate evasion attempts.\n- Endpoint Detection and Response (EDR) Solutions\n - Monitor registry modifications for suspicious behavior.",
"x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json
index ce37e5e99c..8d7423960a 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--3aa7e28b-f534-48d9-a464-610ab1bb76cc",
+ "id": "bundle--7da58436-b8d1-4157-9024-51302d9b9116",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8",
+ "created": "2021-10-20T15:05:19.273Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.273Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2022-03-30T14:26:51.805Z",
+ "modified": "2025-04-18T15:10:21.434Z",
"name": "File Deletion",
- "description": "Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)",
+ "description": "Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.\n\nThis data component can be collected through the following measures:\n\nWindows\n\n- Sysmon: Event ID 23: Logs file deletion events, including details such as file paths and responsible processes.\n- Windows Event Log: Enable \"Object Access\" auditing to monitor file deletions.\n- PowerShell: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Message -like '*DELETE*'}`\n\nLinux\n\n- Auditd: Use audit rules to capture file deletion events: `auditctl -a always,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_deletion`\n- Query logs: `ausearch -k file_deletion`\n- Inotify: Use inotifywait to monitor file deletions: `inotifywait -m /path/to/watch -e delete`\n\nmacOS\n\n- Endpoint Security Framework (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to capture file deletion activities.\n- FSEvents: Track file deletion activities in real-time: `fs_usage | grep unlink`\n\nSIEM Integration\n\n- Forward file deletion logs to a SIEM for centralized monitoring and correlation with other events.\n",
"x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json
index 9353dece75..5f8101de34 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json
@@ -1,23 +1,30 @@
{
"type": "bundle",
- "id": "bundle--82d88171-9ee0-4d94-83a9-d644cc41be26",
+ "id": "bundle--3ec96eee-bc6d-4a8b-97ff-2e35445671f3",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+ "created": "2021-10-20T15:05:19.272Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.272Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.272Z",
+ "modified": "2025-04-18T15:10:37.873Z",
"name": "Process Metadata",
"description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.",
"x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
"x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json
index f66fe84799..bd3a4e8c8a 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--e3ddde4d-9bb6-4ba4-b248-05ca2ac8813c",
+ "id": "bundle--71e4453f-5c8a-434c-bfcc-463addb9821b",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3",
+ "created": "2021-10-20T15:05:19.271Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.271Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.271Z",
+ "modified": "2025-04-18T15:11:43.635Z",
"name": "Scheduled Job Creation",
- "description": "Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)",
+ "description": "The establishment of a task or job that will execute at a predefined time or based on specific triggers.\n\n*Data Collection Measures: *\n\n- Windows Event Logs:\n - Event ID 4698 (Scheduled Task Created) \u2013 Detects the creation of new scheduled tasks.\n - Event ID 4702 (Scheduled Task Updated) \u2013 Identifies modifications to existing scheduled jobs.\n - Event ID 106 (TaskScheduler Operational Log) \u2013 Provides details about scheduled task execution.\n- Sysmon (Windows):\n - Event ID 1 (Process Creation) \u2013 Detects the execution of suspicious tasks started by `schtasks.exe`, `at.exe`, or `taskeng.exe`.\n- Linux/macOS Monitoring:\n - AuditD: Monitor modifications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` files.\n - Syslog: Capture cron job execution logs from `/var/log/cron`.\n - OSQuery: Query the `crontab` and `launchd` tables for scheduled job configurations.\n- Endpoint Detection and Response (EDR) Tools:\n - Track scheduled task creation and modification events.\n- SIEM & XDR Detection Rules:\n - Monitor for scheduled jobs created by unusual users.\n - Detect tasks executing scripts from non-standard directories.",
"x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json
index 57f69d0efc..e25cc21acf 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--86239f0c-69cd-4a70-8c50-5b39c62a3311",
+ "id": "bundle--44589531-78c1-4beb-bbdf-6adf1f7d4e22",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa",
+ "created": "2021-10-20T15:05:19.275Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.275Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.275Z",
+ "modified": "2025-04-18T15:10:01.621Z",
"name": "Network Share Access",
- "description": "Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)",
+ "description": "Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)\n\n*Data Collection Measures:*\n\n- Windows:\n - Event ID 5140 \u2013 Network Share Object Access Logs every access attempt to a network share.\n - Event ID 5145 \u2013 Detailed Network Share Object Access Captures granular access control information, including the requesting user, source IP, and access permissions.\n - Sysmon Event ID 3 \u2013 Network Connection Initiated Helps track SMB connections to suspicious or unauthorized network shares.\n - Enable Audit Policy for Network Share Access: `auditpol /set /subcategory:\"File Share\" /success:enable /failure:enable`\n - Enable PowerShell Logging to Detect Unauthorized SMB Access: `Set-ExecutionPolicy RemoteSigned`\n - Restrict Network Share Access with Group Policy (GPO): `Computer Configuration \u2192 Windows Settings \u2192 Security Settings \u2192 Local Policies \u2192 User Rights Assignment` Set \"Access this computer from the network\" to restrict unauthorized accounts.\n- Linux/macOS:\n - AuditD (`open`, `read`, `write`, `connect` syscalls) Detects access to NFS, CIFS, and SMB network shares.\n - Lsof (`lsof | grep nfs` or `lsof | grep smb`) Identifies active network share connections.\n - Mount (`mount | grep nfs` or `mount | grep cifs`) Lists currently mounted network shares.\n - Enable AuditD for SMB/NFS Access: `auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_access`\n - Monitor Active Network Shares Using Netstat: `netstat -an | grep :445`\n- Endpoint Detection & Response (EDR):\n - Detects abnormal network share access behavior, such as unusual account usage, large file transfers, or encrypted file activity.",
"x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json
index fc466c5387..f103f218a5 100644
--- a/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json
+++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json
@@ -1,23 +1,29 @@
{
"type": "bundle",
- "id": "bundle--20ad6cb4-0926-40fd-97f1-d1087c194b18",
+ "id": "bundle--fc9ae5c0-4957-4f9f-8571-a3b38f790bfb",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-data-component",
+ "id": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b",
+ "created": "2021-10-20T15:05:19.271Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "revoked": false,
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "id": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b",
- "type": "x-mitre-data-component",
- "created": "2021-10-20T15:05:19.271Z",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "modified": "2021-10-20T15:05:19.271Z",
+ "modified": "2025-04-18T15:11:40.267Z",
"name": "Scheduled Job Modification",
- "description": "Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)",
+ "description": "Changes made to an existing scheduled job, including modifications to its execution parameters, command payload, or execution timing.",
"x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
"x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json
index dd17bda250..2c88303766 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json
@@ -1,37 +1,9 @@
{
"type": "bundle",
- "id": "bundle--a658c587-04e3-47e4-a7bc-2a1e04f0f8ec",
+ "id": "bundle--1cebe553-38e4-49d1-b1a0-3b8a35ed88ef",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-10-14T22:11:30.271Z",
- "name": "User Account",
- "description": "A profile representing a user, device, service, or application used to authenticate and access resources",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "Containers",
- "IaaS",
- "Linux",
- "SaaS",
- "Windows",
- "macOS",
- "Office Suite",
- "Identity Provider"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
- ],
- "x_mitre_collection_layers": [
- "Cloud Control Plane",
- "Container",
- "Host"
- ],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6",
"created": "2021-10-20T15:05:19.271Z",
@@ -46,6 +18,36 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T15:09:38.667Z",
+ "name": "User Account",
+ "description": "A profile representing a user, device, service, or application used to authenticate and access resources",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Containers",
+ "IaaS",
+ "Linux",
+ "SaaS",
+ "Windows",
+ "macOS",
+ "Office Suite",
+ "Identity Provider",
+ "ESXi"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Cloud Control Plane",
+ "Container",
+ "Host"
]
}
]
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json
index 22675a8ad3..e64226d43a 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json
@@ -1,24 +1,11 @@
{
"type": "bundle",
- "id": "bundle--92491245-064a-4131-bcff-98d8aa7b1774",
+ "id": "bundle--58747097-0d67-491d-a731-459abeaee593",
"spec_version": "2.0",
"objects": [
{
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_domains": [
- "enterprise-attack",
- "ics-attack"
- ],
- "x_mitre_collection_layers": [
- "Host"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0",
"type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0",
"created": "2021-10-20T15:05:19.273Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
@@ -33,12 +20,25 @@
"url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry"
}
],
- "modified": "2022-05-11T14:00:00.188Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T20:39:08.970Z",
"name": "Windows Registry",
"description": "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows"
+ ],
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "ics-attack"
+ ],
"x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json
index 8ba24d27f9..eec59668e4 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json
@@ -1,26 +1,9 @@
{
"type": "bundle",
- "id": "bundle--3815ed3f-b49a-41de-b28b-d85d87712036",
+ "id": "bundle--52b5b955-8dfc-40ad-a023-a84a9776428e",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-12-07T19:50:56.964Z",
- "name": "Script",
- "description": "A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)",
- "x_mitre_platforms": [
- "Windows"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
- ],
- "x_mitre_collection_layers": [
- "Host"
- ],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e",
"created": "2021-10-20T15:05:19.272Z",
@@ -51,8 +34,27 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:12:42.967Z",
+ "name": "Script",
+ "description": "A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Windows",
+ "ESXi"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json
index 9c106fd110..3bc8ad9163 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json
@@ -1,20 +1,9 @@
{
"type": "bundle",
- "id": "bundle--3bd1ee5d-6829-4da7-b3ea-3debe0f574fe",
+ "id": "bundle--37a4b2d4-0b73-476d-a2d9-149b4414e298",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-24T19:14:55.615Z",
- "name": "Operational Databases",
- "description": "Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_collection_layers": [
- "Host"
- ],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552",
"created": "2022-05-11T16:22:58.802Z",
@@ -30,8 +19,19 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:35.400Z",
+ "name": "Operational Databases",
+ "description": "Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json
index 601d9ff35f..4c4a541629 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json
@@ -1,31 +1,9 @@
{
"type": "bundle",
- "id": "bundle--cbb53c51-cfee-4768-91f8-c2f2a52ed164",
+ "id": "bundle--3bc04d09-a4e4-4ff5-a7e8-577577b928d6",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-10-14T22:11:30.271Z",
- "name": "Application Log",
- "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "IaaS",
- "Linux",
- "SaaS",
- "Windows",
- "macOS",
- "Office Suite"
- ],
- "x_mitre_domains": [
- "enterprise-attack",
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_collection_layers": [
- "Cloud Control Plane",
- "Host"
- ],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4",
"created": "2021-10-20T15:05:19.272Z",
@@ -44,6 +22,29 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T20:39:10.207Z",
+ "name": "Application Log",
+ "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS",
+ "Linux",
+ "SaaS",
+ "Windows",
+ "macOS",
+ "Office Suite",
+ "ESXi"
+ ],
+ "x_mitre_domains": [
+ "enterprise-attack",
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_collection_layers": [
+ "Cloud Control Plane",
+ "Host"
]
}
]
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json
index cb16ed8cba..033c941c52 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json
@@ -1,36 +1,9 @@
{
"type": "bundle",
- "id": "bundle--b95cc819-e7ec-4570-8096-77cc689b524c",
+ "id": "bundle--5b34d462-a5e7-4a2b-ba96-2690b6345fe2",
"spec_version": "2.0",
"objects": [
{
- "modified": "2024-10-14T22:11:30.271Z",
- "name": "Logon Session",
- "description": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_platforms": [
- "IaaS",
- "Linux",
- "SaaS",
- "Windows",
- "macOS",
- "Office Suite",
- "Identity Provider"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
- ],
- "x_mitre_collection_layers": [
- "Cloud Control Plane",
- "Host",
- "Network"
- ],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891",
"created": "2021-10-20T15:05:19.274Z",
@@ -50,6 +23,35 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T15:12:19.778Z",
+ "name": "Logon Session",
+ "description": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS",
+ "Linux",
+ "SaaS",
+ "Windows",
+ "macOS",
+ "Office Suite",
+ "Identity Provider",
+ "ESXi"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Cloud Control Plane",
+ "Host",
+ "Network"
]
}
]
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json
index 0c258e4a7d..79c0c9a799 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json
@@ -1,29 +1,9 @@
{
"type": "bundle",
- "id": "bundle--1cee754a-8d8b-4918-8820-3a178170d417",
+ "id": "bundle--121bf6fe-4070-446e-9305-3ace629e9f95",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-12-07T19:35:34.863Z",
- "name": "File",
- "description": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)",
- "x_mitre_platforms": [
- "Linux",
- "Network",
- "Windows",
- "macOS"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
- ],
- "x_mitre_collection_layers": [
- "Host"
- ],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9",
"created": "2021-10-20T15:05:19.273Z",
@@ -44,8 +24,30 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:10:04.845Z",
+ "name": "File",
+ "description": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Network Devices",
+ "Windows",
+ "macOS",
+ "ESXi"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json
index 071b39fca5..36405c4a87 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json
@@ -1,28 +1,11 @@
{
"type": "bundle",
- "id": "bundle--f2cf23af-dcc0-4e58-b6fa-ae362e7dd746",
+ "id": "bundle--67b87b07-366c-42ff-b88d-463bfcca7aaa",
"spec_version": "2.0",
"objects": [
{
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
- ],
- "x_mitre_domains": [
- "enterprise-attack"
- ],
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
- ],
- "x_mitre_collection_layers": [
- "Host"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065",
"type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065",
"created": "2021-10-20T15:05:19.272Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
@@ -37,12 +20,30 @@
"url": "https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread"
}
],
- "modified": "2022-03-30T14:26:51.804Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T15:12:29.888Z",
"name": "Drive",
"description": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
+ ],
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
"x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json
index 68843da7e0..fbdfef173d 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json
@@ -1,35 +1,9 @@
{
"type": "bundle",
- "id": "bundle--d836a432-37f0-44df-b861-8584800aba5e",
+ "id": "bundle--cb8b7381-e50a-4790-9a88-96059369521c",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-04-20T18:38:00.625Z",
- "name": "Command",
- "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)",
- "x_mitre_platforms": [
- "Containers",
- "Linux",
- "Network",
- "Windows",
- "macOS",
- "Android",
- "iOS"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack",
- "mobile-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)",
- "Austin Clark, @c2defense"
- ],
- "x_mitre_collection_layers": [
- "Container",
- "Host"
- ],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089",
"created": "2021-10-20T15:05:19.273Z",
@@ -55,8 +29,36 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:11:26.880Z",
+ "name": "Command",
+ "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Containers",
+ "Linux",
+ "Network Devices",
+ "Windows",
+ "macOS",
+ "Android",
+ "iOS",
+ "ESXi"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)",
+ "Austin Clark, @c2defense"
+ ],
+ "x_mitre_collection_layers": [
+ "Container",
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json
index dc8b81dc21..ccaf80668b 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json
@@ -1,20 +1,9 @@
{
"type": "bundle",
- "id": "bundle--8aeeaaa3-f3ee-4f6b-80ff-b2edb93d1302",
+ "id": "bundle--15adf84e-366d-4b03-a737-c6c4d6b17ccf",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-24T19:14:15.637Z",
- "name": "Asset",
- "description": "Data sources with information about the set of devices found within the network, along with their current software and configurations",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_collection_layers": [
- "Host"
- ],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c",
"created": "2022-05-11T16:22:58.802Z",
@@ -30,8 +19,19 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:35.809Z",
+ "name": "Asset",
+ "description": "Data sources with information about the set of devices found within the network, along with their current software and configurations",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json
index 0b0b1ee5a6..e510d0df1a 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json
@@ -1,28 +1,11 @@
{
"type": "bundle",
- "id": "bundle--4c9d4e05-ee0b-443f-9686-591c025ceb37",
+ "id": "bundle--c2a1b28e-ca28-4ea3-b013-d51e05632850",
"spec_version": "2.0",
"objects": [
{
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
- ],
- "x_mitre_domains": [
- "enterprise-attack"
- ],
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
- ],
- "x_mitre_collection_layers": [
- "Host"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e",
"type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e",
"created": "2021-10-20T15:05:19.274Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
@@ -37,12 +20,30 @@
"url": "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview"
}
],
- "modified": "2022-03-30T14:26:51.806Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T15:09:58.319Z",
"name": "Network Share",
"description": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
+ ],
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
"x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json
index e485ff6118..5427d7dd79 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json
@@ -1,35 +1,9 @@
{
"type": "bundle",
- "id": "bundle--2845dfe3-4100-4aef-8ad9-ea613ad83b7a",
+ "id": "bundle--b2763311-edf1-47ad-8029-f2738f290e0b",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-04-20T18:38:13.356Z",
- "name": "Network Traffic",
- "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
- "x_mitre_platforms": [
- "IaaS",
- "Linux",
- "Windows",
- "macOS",
- "Android",
- "iOS"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack",
- "mobile-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)",
- "ExtraHop"
- ],
- "x_mitre_collection_layers": [
- "Cloud Control Plane",
- "Host",
- "Network"
- ],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
"created": "2021-10-20T15:05:19.274Z",
@@ -45,8 +19,36 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:11:13.424Z",
+ "name": "Network Traffic",
+ "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "IaaS",
+ "Linux",
+ "Windows",
+ "macOS",
+ "Android",
+ "iOS",
+ "ESXi"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)",
+ "ExtraHop"
+ ],
+ "x_mitre_collection_layers": [
+ "Cloud Control Plane",
+ "Host",
+ "Network"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json
index e39fc68854..3f05340e13 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json
@@ -1,30 +1,11 @@
{
"type": "bundle",
- "id": "bundle--298886fd-dfff-4ad9-81ca-215739c1f9b7",
+ "id": "bundle--854c0615-64fa-4ac7-808f-8aab1ee778fe",
"spec_version": "2.0",
"objects": [
{
- "x_mitre_platforms": [
- "Containers",
- "Linux",
- "Windows",
- "macOS"
- ],
- "x_mitre_domains": [
- "enterprise-attack"
- ],
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
- ],
- "x_mitre_collection_layers": [
- "Container",
- "Host"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883",
"type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883",
"created": "2021-10-20T15:05:19.271Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
@@ -39,12 +20,33 @@
"url": "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks"
}
],
- "modified": "2022-03-30T14:26:51.806Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T15:11:33.637Z",
"name": "Scheduled Job",
"description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Containers",
+ "Linux",
+ "Windows",
+ "macOS",
+ "ESXi"
+ ],
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Container",
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json
index eee2dede6c..82b127f538 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json
@@ -1,28 +1,11 @@
{
"type": "bundle",
- "id": "bundle--5cf16304-a812-46c9-aa9b-c9f6fe7c9d91",
+ "id": "bundle--cace5a79-f654-434e-9f67-d48470269a1d",
"spec_version": "2.0",
"objects": [
{
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
- ],
- "x_mitre_domains": [
- "enterprise-attack"
- ],
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
- ],
- "x_mitre_collection_layers": [
- "Host"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f",
"type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f",
"created": "2021-10-20T15:05:19.265Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
@@ -32,12 +15,30 @@
"external_id": "DS0001"
}
],
- "modified": "2022-03-30T14:26:51.805Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T15:12:49.401Z",
"name": "Firmware",
"description": "Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
+ ],
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
"x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json
index c29c40b77c..2703d49c9f 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json
@@ -1,28 +1,11 @@
{
"type": "bundle",
- "id": "bundle--3d2944d5-ed9a-4fa8-a454-df96f1887fa2",
+ "id": "bundle--6379fdb8-5f8b-40e7-ba14-e0dc4b065e6c",
"spec_version": "2.0",
"objects": [
{
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
- ],
- "x_mitre_domains": [
- "enterprise-attack"
- ],
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
- ],
- "x_mitre_collection_layers": [
- "Host"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb",
"type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb",
"created": "2021-10-20T15:05:19.273Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
@@ -42,12 +25,31 @@
"url": "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/"
}
],
- "modified": "2022-03-30T14:26:51.807Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T15:10:47.833Z",
"name": "Service",
"description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)",
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS",
+ "ESXi"
+ ],
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.1",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json
index 5b4f6aaca1..35709bb44e 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json
@@ -1,31 +1,9 @@
{
"type": "bundle",
- "id": "bundle--b881a4b9-ddc3-4dfa-91ae-ba1e37b1e27c",
+ "id": "bundle--f49039d2-32e3-4a73-b160-fd51b40943d8",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-04-20T18:38:26.515Z",
- "name": "Process",
- "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)",
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS",
- "Android",
- "iOS"
- ],
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "enterprise-attack",
- "mobile-attack"
- ],
- "x_mitre_version": "1.1",
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
- ],
- "x_mitre_collection_layers": [
- "Host"
- ],
"type": "x-mitre-data-source",
"id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
"created": "2021-10-20T15:05:19.272Z",
@@ -46,8 +24,32 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-18T15:10:24.655Z",
+ "name": "Process",
+ "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS",
+ "Android",
+ "iOS",
+ "ESXi"
+ ],
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack",
+ "mobile-attack",
+ "enterprise-attack"
+ ],
+ "x_mitre_version": "1.2",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json
index 30185ad3e7..a6b0668f7b 100644
--- a/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json
+++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json
@@ -1,28 +1,11 @@
{
"type": "bundle",
- "id": "bundle--35ff51c0-f147-4d8c-93ff-a01699433e35",
+ "id": "bundle--0b71089b-3b58-4722-a3d0-61b32850365e",
"spec_version": "2.0",
"objects": [
{
- "x_mitre_platforms": [
- "Linux",
- "Windows",
- "macOS"
- ],
- "x_mitre_domains": [
- "enterprise-attack"
- ],
- "x_mitre_contributors": [
- "Center for Threat-Informed Defense (CTID)"
- ],
- "x_mitre_collection_layers": [
- "Host"
- ],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563",
"type": "x-mitre-data-source",
+ "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563",
"created": "2021-10-20T15:05:19.272Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references": [
@@ -42,12 +25,30 @@
"url": "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module"
}
],
- "modified": "2022-03-30T14:26:51.806Z",
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-18T15:12:13.134Z",
"name": "Module",
"description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_platforms": [
+ "Linux",
+ "Windows",
+ "macOS"
+ ],
+ "x_mitre_domains": [
+ "ics-attack",
+ "enterprise-attack"
+ ],
"x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_contributors": [
+ "Center for Threat-Informed Defense (CTID)"
+ ],
+ "x_mitre_collection_layers": [
+ "Host"
+ ]
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json b/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json
index 7e76672d33..8bdfc68478 100644
--- a/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json
+++ b/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json
@@ -1,9 +1,26 @@
{
"type": "bundle",
- "id": "bundle--4ea75679-ffea-4d44-91b2-3195cddfd1ca",
+ "id": "bundle--9e9dc446-b777-48d8-a6c5-f7239943163f",
"spec_version": "2.0",
"objects": [
{
+ "type": "x-mitre-matrix",
+ "id": "x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7",
+ "created": "2018-10-17T00:14:20.652Z",
+ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "external_references": [
+ {
+ "source_name": "mitre-attack",
+ "url": "https://attack.mitre.org/matrices/ics/",
+ "external_id": "ics-attack"
+ }
+ ],
+ "object_marking_refs": [
+ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+ ],
+ "modified": "2025-04-16T21:26:34.561Z",
+ "name": "ATT&CK for ICS",
+ "description": "The full ATT&CK for ICS Matrix includes techniques spanning various ICS assets and can be used to navigate through the knowledge base.",
"tactic_refs": [
"x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a",
"x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45",
@@ -18,29 +35,12 @@
"x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024",
"x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279"
],
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_domains": [
"ics-attack"
],
- "object_marking_refs": [
- "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ],
- "created": "2018-10-17T00:14:20.652Z",
- "description": "The full ATT&CK for ICS Matrix includes techniques spanning various ICS assets and can be used to navigate through the knowledge base.",
- "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "external_references": [
- {
- "source_name": "mitre-attack",
- "external_id": "ics-attack",
- "url": "https://attack.mitre.org/matrices/ics/"
- }
- ],
- "id": "x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7",
- "modified": "2022-05-06T17:47:24.396Z",
- "name": "ATT&CK for ICS",
- "type": "x-mitre-matrix",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_version": "1.0"
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json
index bac73f9eb7..ad09b262c9 100644
--- a/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json
+++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--270e5daf-5afa-41f7-b050-f54226320ffe",
+ "id": "bundle--4f1731fa-82f4-4c3e-afb4-9ae0f1005a81",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-08T22:12:52.701Z",
- "name": "Inhibit Response Function",
- "description": "The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.\n\nInhibit Response Function consists of techniques that adversaries use to hinder the safeguards put in place for processes and products. This may involve the inhibition of safety, protection, quality assurance, or operator intervention functions to disrupt safeguards that aim to prevent the loss of life, destruction of equipment, and disruption of production. These techniques aim to actively deter and prevent expected alarms and responses that arise due to statuses in the ICS environment. Adversaries may modify or update system logic, or even outright prevent responses with a denial-of-service. They may result in the prevention, destruction, manipulation, or modification of programs, logic, devices, and communications. As prevention functions are generally dormant, reporting and processing functions can appear fine, but may have been altered to prevent failure responses in dangerous scenarios. Unlike [Evasion](https://attack.mitre.org/tactics/TA0103), Inhibit Response Function techniques may be more intrusive, such as actively preventing responses to a known dangerous scenario. Adversaries may use these techniques to follow through with or provide cover for [Impact](https://attack.mitre.org/tactics/TA0105) techniques.",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_shortname": "inhibit-response-function",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134",
"created": "2018-10-17T00:14:20.652Z",
@@ -28,8 +19,17 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:21.065Z",
+ "name": "Inhibit Response Function",
+ "description": "The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.\n\nInhibit Response Function consists of techniques that adversaries use to hinder the safeguards put in place for processes and products. This may involve the inhibition of safety, protection, quality assurance, or operator intervention functions to disrupt safeguards that aim to prevent the loss of life, destruction of equipment, and disruption of production. These techniques aim to actively deter and prevent expected alarms and responses that arise due to statuses in the ICS environment. Adversaries may modify or update system logic, or even outright prevent responses with a denial-of-service. They may result in the prevention, destruction, manipulation, or modification of programs, logic, devices, and communications. As prevention functions are generally dormant, reporting and processing functions can appear fine, but may have been altered to prevent failure responses in dangerous scenarios. Unlike [Evasion](https://attack.mitre.org/tactics/TA0103), Inhibit Response Function techniques may be more intrusive, such as actively preventing responses to a known dangerous scenario. Adversaries may use these techniques to follow through with or provide cover for [Impact](https://attack.mitre.org/tactics/TA0105) techniques.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_shortname": "inhibit-response-function"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json
index f200f5d93b..6092342d06 100644
--- a/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json
+++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--b9d43511-e99a-453a-97b0-0cfdb9bb149f",
+ "id": "bundle--ddd43421-9179-4510-bdd1-048ccc698df0",
"spec_version": "2.0",
"objects": [
{
- "modified": "2022-09-29T21:38:48.906Z",
- "name": "Privilege Escalation",
- "description": "The adversary is trying to gain higher-level permissions.\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_shortname": "privilege-escalation",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046",
"created": "2021-04-10T17:32:33.899Z",
@@ -28,8 +19,17 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:21.215Z",
+ "name": "Privilege Escalation",
+ "description": "The adversary is trying to gain higher-level permissions.\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_shortname": "privilege-escalation"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json
index 3aaff2ca27..c103767e52 100644
--- a/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json
+++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--3a0aa7e2-7321-462a-b51d-89c02b0a097f",
+ "id": "bundle--f27c06da-f149-4dff-9dce-8a5d6066ffb9",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-08T22:09:46.867Z",
- "name": "Lateral Movement",
- "description": "The adversary is trying to move through your ICS environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. These techniques abuse default credentials, known accounts, and vulnerable services, and may also leverage dual-homed devices and systems that reside on both the IT and OT networks. The adversary uses these techniques to pivot to their next point in the environment, positioning themselves to where they want to be or think they should be. Following through on their primary objective often requires [Discovery](https://attack.mitre.org/tactics/TA0102) of the network and [Collection](https://attack.mitre.org/tactics/TA0100) to develop awareness of unique ICS devices and processes, in order to find their target and subsequently gain access to it. Reaching this objective often involves pivoting through multiple systems, devices, and accounts. Adversaries may install their own remote tools to accomplish Lateral Movement or leverage default tools, programs, and manufacturer set or other legitimate credentials native to the network, which may be stealthier.",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_shortname": "lateral-movement",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924",
"created": "2018-10-17T00:14:20.652Z",
@@ -28,8 +19,17 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:21.394Z",
+ "name": "Lateral Movement",
+ "description": "The adversary is trying to move through your ICS environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. These techniques abuse default credentials, known accounts, and vulnerable services, and may also leverage dual-homed devices and systems that reside on both the IT and OT networks. The adversary uses these techniques to pivot to their next point in the environment, positioning themselves to where they want to be or think they should be. Following through on their primary objective often requires [Discovery](https://attack.mitre.org/tactics/TA0102) of the network and [Collection](https://attack.mitre.org/tactics/TA0100) to develop awareness of unique ICS devices and processes, in order to find their target and subsequently gain access to it. Reaching this objective often involves pivoting through multiple systems, devices, and accounts. Adversaries may install their own remote tools to accomplish Lateral Movement or leverage default tools, programs, and manufacturer set or other legitimate credentials native to the network, which may be stealthier.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_shortname": "lateral-movement"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json
index 2acd190720..65f6eaa706 100644
--- a/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json
+++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json
@@ -1,19 +1,9 @@
{
"type": "bundle",
- "id": "bundle--b6c7d564-1c1d-4896-9916-a0dc8119c038",
+ "id": "bundle--6e5adc35-7980-4df9-a6ca-3b03a5ef5fd4",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-09T18:38:51.471Z",
- "name": "Discovery",
- "description": "The adversary is locating information to assess and identify their targets in your environment.\n\nDiscovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_shortname": "discovery",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453",
"created": "2018-10-17T00:14:20.652Z",
@@ -27,7 +17,17 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:21.555Z",
+ "name": "Discovery",
+ "description": "The adversary is locating information to assess and identify their targets in your environment.\n\nDiscovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_shortname": "discovery"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json
index 338d3f252e..e8d7bf64f7 100644
--- a/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json
+++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json
@@ -1,19 +1,9 @@
{
"type": "bundle",
- "id": "bundle--41f79b3d-dd3c-4e15-ac70-1375acbb2a52",
+ "id": "bundle--0c6453d8-7075-4472-9638-c1999415d8c3",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-09T18:38:51.471Z",
- "name": "Initial Access",
- "description": "The adversary is trying to get into your ICS environment.\n\nInitial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations.",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_shortname": "initial-access",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a",
"created": "2018-10-17T00:14:20.652Z",
@@ -27,7 +17,17 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:21.756Z",
+ "name": "Initial Access",
+ "description": "The adversary is trying to get into your ICS environment.\n\nInitial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_shortname": "initial-access"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json
index 6782345034..5b832b5f23 100644
--- a/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json
+++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--6772975d-087f-4192-8e77-fe6b03d2d0da",
+ "id": "bundle--38598aff-7bca-4f6e-9a9b-b1950e19808c",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-08T22:22:09.571Z",
- "name": "Impact",
- "description": "The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.\n\nImpact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques, which often manifest in more self-revealing impacts on operations, or [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversary\u2019s goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.\n\n[Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828), [Theft of Operational Information](https://attack.mitre.org/techniques/T0882), and [Damage to Property](https://attack.mitre.org/techniques/T0879) are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_shortname": "impact",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279",
"created": "2019-03-14T18:44:44.639Z",
@@ -28,8 +19,17 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:21.936Z",
+ "name": "Impact",
+ "description": "The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.\n\nImpact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques, which often manifest in more self-revealing impacts on operations, or [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversary\u2019s goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.\n\n[Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828), [Theft of Operational Information](https://attack.mitre.org/techniques/T0882), and [Damage to Property](https://attack.mitre.org/techniques/T0879) are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_shortname": "impact"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json
index eb9bc6d645..2fed62390c 100644
--- a/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json
+++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json
@@ -1,19 +1,9 @@
{
"type": "bundle",
- "id": "bundle--51249c12-2a2c-41e7-bc11-be838af1852b",
+ "id": "bundle--d4b7b6d1-195f-4633-bfde-64e8181f246d",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-09T18:38:51.471Z",
- "name": "Persistence",
- "description": "The adversary is trying to maintain their foothold in your ICS environment.\n\nPersistence consists of techniques that adversaries use to maintain access to ICS systems and devices across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that allow them to secure their ongoing activity and keep their foothold on systems. This may include replacing or hijacking legitimate code, firmware, and other project files, or adding startup code and downloading programs onto devices.",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_shortname": "persistence",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac",
"created": "2018-10-17T00:14:20.652Z",
@@ -27,7 +17,17 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:22.111Z",
+ "name": "Persistence",
+ "description": "The adversary is trying to maintain their foothold in your ICS environment.\n\nPersistence consists of techniques that adversaries use to maintain access to ICS systems and devices across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that allow them to secure their ongoing activity and keep their foothold on systems. This may include replacing or hijacking legitimate code, firmware, and other project files, or adding startup code and downloading programs onto devices.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_shortname": "persistence"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json
index 9dd5d1fadc..909ef61045 100644
--- a/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json
+++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--b6bc64b2-a0b6-44a0-a322-36440489b04d",
+ "id": "bundle--59a3829e-439e-4b39-a3e5-d77038c067bd",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-08T22:19:16.160Z",
- "name": "Execution",
- "description": "The adversary is trying to run code or manipulate system functions, parameters, and data in an unauthorized way.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network [Discovery](https://attack.mitre.org/tactics/TA0102) and [Collection](https://attack.mitre.org/tactics/TA0100), impact operations, and inhibit response functions.",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_shortname": "execution",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45",
"created": "2018-10-17T00:14:20.652Z",
@@ -28,8 +19,17 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:22.274Z",
+ "name": "Execution",
+ "description": "The adversary is trying to run code or manipulate system functions, parameters, and data in an unauthorized way.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network [Discovery](https://attack.mitre.org/tactics/TA0102) and [Collection](https://attack.mitre.org/tactics/TA0100), impact operations, and inhibit response functions.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_shortname": "execution"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json
index 7f24d826de..9a82b6e8f7 100644
--- a/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json
+++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json
@@ -1,19 +1,9 @@
{
"type": "bundle",
- "id": "bundle--e9da037d-af00-48dc-b45a-eb4e78f986e9",
+ "id": "bundle--c866fe4a-7934-4827-984c-5f66ee8e04cf",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-09T18:38:51.471Z",
- "name": "Command and Control",
- "description": "The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment.\n\nCommand and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victim\u2019s network structure and defenses.",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_shortname": "command-and-control",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f",
"created": "2018-10-17T00:14:20.652Z",
@@ -27,7 +17,17 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:22.441Z",
+ "name": "Command and Control",
+ "description": "The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment.\n\nCommand and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victim\u2019s network structure and defenses.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_shortname": "command-and-control"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json
index d12a122c80..3d21f1b338 100644
--- a/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json
+++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--00b4a6fe-ce7d-4f2f-8548-2fcca74a5407",
+ "id": "bundle--51f2cba6-1b5c-43a6-aada-5925b9accf11",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-08T22:18:50.880Z",
- "name": "Collection",
- "description": "The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal.\n\nCollection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of [Discovery](https://attack.mitre.org/tactics/TA0102), to compile data on control systems and targets of interest that may be used to follow through on the adversary\u2019s objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other references may also be at risk and exposed on the internet or otherwise publicly accessible.",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_shortname": "collection",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9",
"created": "2018-10-17T00:14:20.652Z",
@@ -28,8 +19,17 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:22.653Z",
+ "name": "Collection",
+ "description": "The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal.\n\nCollection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of [Discovery](https://attack.mitre.org/tactics/TA0102), to compile data on control systems and targets of interest that may be used to follow through on the adversary\u2019s objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other references may also be at risk and exposed on the internet or otherwise publicly accessible.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_shortname": "collection"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json
index 05282f5b47..36af17ad28 100644
--- a/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json
+++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json
@@ -1,19 +1,9 @@
{
"type": "bundle",
- "id": "bundle--0648509e-ff96-4981-a198-2f319034d582",
+ "id": "bundle--70e16bff-dc75-4f07-ad90-b5bbeec3115d",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-09T18:38:51.471Z",
- "name": "Evasion",
- "description": "The adversary is trying to avoid security defenses.\n\nEvasion consists of techniques that adversaries use to avoid technical defenses throughout their campaign. Techniques used for evasion include removal of indicators of compromise, spoofing communications, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense evasion for this purpose are often more passive in nature.",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_attack_spec_version": "2.1.0",
- "x_mitre_shortname": "evasion",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7",
"created": "2018-10-17T00:14:20.652Z",
@@ -27,7 +17,17 @@
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
- ]
+ ],
+ "modified": "2025-04-16T21:26:22.834Z",
+ "name": "Evasion",
+ "description": "The adversary is trying to avoid security defenses.\n\nEvasion consists of techniques that adversaries use to avoid technical defenses throughout their campaign. Techniques used for evasion include removal of indicators of compromise, spoofing communications, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense evasion for this purpose are often more passive in nature.",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_shortname": "evasion"
}
]
}
\ No newline at end of file
diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json
index 50cc231321..d6983bd158 100644
--- a/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json
+++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json
@@ -1,18 +1,9 @@
{
"type": "bundle",
- "id": "bundle--e3a4e5bb-1ecd-4289-b06f-9ee792318bff",
+ "id": "bundle--77264ab7-02ea-40c6-9c6a-4a8738a63b73",
"spec_version": "2.0",
"objects": [
{
- "modified": "2023-03-08T22:15:17.020Z",
- "name": "Impair Process Control",
- "description": "The adversary is trying to manipulate, disable, or damage physical control processes.\n\nImpair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use [Inhibit Response Function](https://attack.mitre.org/tactics/TA0107) techniques in tandem, to assist with the successful abuse of control processes to result in [Impact](https://attack.mitre.org/tactics/TA0105).",
- "x_mitre_deprecated": false,
- "x_mitre_domains": [
- "ics-attack"
- ],
- "x_mitre_version": "1.0",
- "x_mitre_shortname": "impair-process-control",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024",
"created": "2018-10-17T00:14:20.652Z",
@@ -28,8 +19,17 @@
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
- "x_mitre_attack_spec_version": "3.1.0",
- "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+ "modified": "2025-04-16T21:26:23.006Z",
+ "name": "Impair Process Control",
+ "description": "The adversary is trying to manipulate, disable, or damage physical control processes.\n\nImpair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use [Inhibit Response Function](https://attack.mitre.org/tactics/TA0107) techniques in tandem, to assist with the successful abuse of control processes to result in [Impact](https://attack.mitre.org/tactics/TA0105).",
+ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+ "x_mitre_deprecated": false,
+ "x_mitre_domains": [
+ "ics-attack"
+ ],
+ "x_mitre_version": "1.0",
+ "x_mitre_attack_spec_version": "3.2.0",
+ "x_mitre_shortname": "impair-process-control"
}
]
}
\ No newline at end of file